Skip to content
  1. Feb 23, 2001
    • Geoff Thorpe's avatar
      Fix an oversight - when checking a potential session ID for conflicts with · f85c9904
      Geoff Thorpe authored
      an SSL_CTX's session cache, it is necessary to compare the ssl_version at
      the same time (a conflict is defined, courtesy of SSL_SESSION_cmp(), as a
      matching id/id_length pair and a matching ssl_version). However, the
      SSL_SESSION that will result from the current negotiation does not
      necessarily have the same ssl version as the "SSL_METHOD" in use by the
      SSL_CTX - part of the work in a handshake is to agree on an ssl version!
      
      This is fixed by having the check function accept an SSL pointer rather
      than the SSL_CTX it belongs to.
      
      [Thanks to Lutz for illuminating the full extent of my stupidity]
      f85c9904
  2. Feb 22, 2001
  3. Feb 21, 2001
    • Geoff Thorpe's avatar
      If a callback is generating a new session ID for SSLv2, then upon exiting, · ec0f1959
      Geoff Thorpe authored
      the ID will be padded out to 16 bytes if the callback attempted to generate
      a shorter one. The problem is that the uniqueness checking function used in
      callbacks may mistakenly think a 9-byte ID is unique when in fact its
      padded 16-byte version is not. This makes the checking function detect
      SSLv2 cases, and ensures the padded form is checked rather than the shorter
      one passed by the callback.
      ec0f1959
    • Geoff Thorpe's avatar
      fa2b8db4
    • Geoff Thorpe's avatar
      This adds command-line support to s_server for controlling the generation · 1aa0d947
      Geoff Thorpe authored
      of session IDs. Namely, passing "-id_prefix <text>" will set a
      generate_session_id() callback that generates session IDs as random data
      with <text> block-copied over the top of the start of the ID. This can be
      viewed by watching the session ID s_client's output when it connects.
      
      This is mostly useful for testing any SSL/TLS code (eg. proxies) that wish
      to deal with multiple servers, when each of which might be generating a
      unique range of session IDs (eg. with a certain prefix).
      1aa0d947
    • Geoff Thorpe's avatar
      This change allows a callback to be used to override the generation of · dc644fe2
      Geoff Thorpe authored
      SSL/TLS session IDs in a server. According to RFC2246, the session ID is an
      arbitrary value chosen by the server. It can be useful to have some control
      over this "arbitrary value" so as to choose it in ways that can aid in
      things like external session caching and balancing (eg. clustering). The
      default session ID generation is to fill the ID with random data.
      
      The callback used by default is built in to ssl_sess.c, but registering a
      callback in an SSL_CTX or in a particular SSL overrides this. BTW: SSL
      callbacks will override SSL_CTX callbacks, and a new SSL structure inherits
      any callback set in its 'parent' SSL_CTX. The header comments describe how
      this mechanism ticks, and source code comments describe (hopefully) why it
      ticks the way it does.
      
      Man pages are on the way ...
      
      [NB: Lutz was also hacking away and helping me to figure out how best to do
      this.]
      dc644fe2
    • Geoff Thorpe's avatar
      'make update' · 47ddf355
      Geoff Thorpe authored
      47ddf355
    • Richard Levitte's avatar
      'make update' · 941181ec
      Richard Levitte authored
      941181ec
    • Richard Levitte's avatar
      Modify mkdef.pl to recognise and parse prprocessor conditionals of the · d399fdf8
      Richard Levitte authored
      form '#if defined(...) || defined(...) || ...' and '#if !defined(...)
      && !defined(...) && ...'.  This also avoids the growing number of
      special cases it was previously handling (some of them wrongly).
      d399fdf8
    • Richard Levitte's avatar
  4. Feb 20, 2001