Discussion:
[omniORB] fixed SSLIOP Interoperability issues (from JacORB call omniORB)
Jiang Wei
2009-05-19 07:59:30 UTC
Permalink
SSL_CTX_set_session_id_context(3) say"
WARNINGS
If the session id context is not set on an SSL/TLS server and client
certificates are used, stored sessions will not
be reused but a fatal error will be flagged and the handshake will fail.

If a server returns a different session id context to an OpenSSL client
when reusing a session, an error will be
flagged and the handshake will fail. OpenSSL servers will always return
the correct session id context, as an OpenSSL
server checks the session id context itself before reusing a session as
described above.
"
Index: sslContext.cc
===================================================================
RCS file:
/cvsroot/omniorb/omni/src/lib/omniORB/orbcore/ssl/Attic/sslContext.cc,v
retrieving revision 1.1.4.6
diff -u -b -r1.1.4.6 sslContext.cc
--- sslContext.cc 6 May 2009 16:14:51 -0000 1.1.4.6
+++ sslContext.cc 19 May 2009 01:56:29 -0000
@@ -158,6 +158,19 @@
OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,
CORBA::COMPLETED_NO);
}
+
+ static const unsigned char session_id_context [] = "omniORB";
+ size_t session_id_len =
+ (sizeof session_id_context >= SSL_MAX_SSL_SESSION_ID_LENGTH)
+ ? SSL_MAX_SSL_SESSION_ID_LENGTH : sizeof session_id_context;
+
+ if (SSL_CTX_set_session_id_context(pd_ctx,
+ session_id_context, session_id_len) != 1) {
+ report_error();
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,
+ CORBA::COMPLETED_NO);
+ }
+
set_supported_versions();
seed_PRNG();
set_certificate();
Duncan Grisby
2009-05-28 15:55:49 UTC
Permalink
Post by Jiang Wei
SSL_CTX_set_session_id_context(3) say"
WARNINGS
If the session id context is not set on an SSL/TLS server and client
certificates are used, stored sessions will not
be reused but a fatal error will be flagged and the handshake will fail.
Thanks for that. I've applied your patch. I have to say that the OpenSSL
documentation is dreadful. I have no idea what it's on about.

Cheers,

Duncan.
--
-- Duncan Grisby --
-- ***@grisby.org --
-- http://www.grisby.org --
Loading...