boringssl

History

David Benjamin 33dad1b7a1 Stop pretending to ssl_clear_bad_session. We broke this to varying degrees ages ago. This is the logic to implement the variations of rules in TLS to discard sessions after a failed connection, where a failed connection could be one of: - A connection that was not cleanly shut down. - A connection that received a fatal alert. The first one is nonsense since close_notify does not actually work in the real world. The second is a vaguely more plausible but... - A stateless ticket-based server can't drop sessions anyway. - In TLS 1.3, a client may receive many tickets over the lifetime of a single connection. With an external session cache like ours which may, in theory, but multithreaded, this will be a huge hassle to track. - A client may well attempt to establish a connection and reuse the session before we receive the fatal alert, so any application state we hope to manage won't really work. - An attacker can always close the connection before the fatal alert, so whatever security policy clearing the session gave is easily bypassable. Implementation-wise, this has basically never worked. The ssl_clear_bad_session logic called into SSL_CTX_remove_session which relied on the internal session cache. (Sessions not in the internal session cache don't get removed.) The internal session cache was only useful for a server, where tickets prevent this mechanism from doing anything. For a client, we since removed the internal session cache, so nothing got removed. The API for a client also did not work as it gave the SSL_SESSION, not the SSL, so a consumer would not know the key to invalidate anyway. The recent session state splitting change further broke this. Moreover, calling into SSL_CTX_remove_session logic like that is extremely dubious because it mutates the not_resumable flag on the SSL_SESSION which isn't thread-safe. Spec-wise, TLS 1.3 has downgraded the MUST to a SHOULD. Given all that mess, just remove this code. It is no longer necessary to call SSL_shutdown just to make session caching work. Change-Id: Ib601937bfc5f6b40436941e1c86566906bb3165d Reviewed-on: https://boringssl-review.googlesource.com/9091 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	2016-08-03 21:07:36 +00:00
..
openssl	Stop pretending to ssl_clear_bad_session.	2016-08-03 21:07:36 +00:00

David Benjamin 33dad1b7a1 Stop pretending to ssl_clear_bad_session.

We broke this to varying degrees ages ago.

This is the logic to implement the variations of rules in TLS to discard
sessions after a failed connection, where a failed connection could be
one of:

- A connection that was not cleanly shut down.

- A connection that received a fatal alert.

The first one is nonsense since close_notify does not actually work in
the real world. The second is a vaguely more plausible but...

- A stateless ticket-based server can't drop sessions anyway.

- In TLS 1.3, a client may receive many tickets over the lifetime of a
  single connection. With an external session cache like ours which may,
  in theory, but multithreaded, this will be a huge hassle to track.

- A client may well attempt to establish a connection and reuse the
  session before we receive the fatal alert, so any application state we
  hope to manage won't really work.

- An attacker can always close the connection before the fatal alert, so
  whatever security policy clearing the session gave is easily
  bypassable.

Implementation-wise, this has basically never worked. The
ssl_clear_bad_session logic called into SSL_CTX_remove_session which
relied on the internal session cache. (Sessions not in the internal
session cache don't get removed.) The internal session cache was only
useful for a server, where tickets prevent this mechanism from doing
anything. For a client, we since removed the internal session cache, so
nothing got removed. The API for a client also did not work as it gave
the SSL_SESSION, not the SSL, so a consumer would not know the key to
invalidate anyway.

The recent session state splitting change further broke this.

Moreover, calling into SSL_CTX_remove_session logic like that is
extremely dubious because it mutates the not_resumable flag on the
SSL_SESSION which isn't thread-safe.

Spec-wise, TLS 1.3 has downgraded the MUST to a SHOULD.

Given all that mess, just remove this code. It is no longer necessary to
call SSL_shutdown just to make session caching work.

Change-Id: Ib601937bfc5f6b40436941e1c86566906bb3165d
Reviewed-on: https://boringssl-review.googlesource.com/9091
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

2016-08-03 21:07:36 +00:00

openssl

Stop pretending to ssl_clear_bad_session.

2016-08-03 21:07:36 +00:00