-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL 3.2.0 - sessions, time, signed vs unsigned, failure with negative session timeout values #703
Comments
I just checked this issue, and it seems to behave the same for TLSv1.3 & TLSv1.2. See below, a negative ctx.timeout doesn't work with OpenSSL 3.2.0. JFYI, I patched a Puma test file, as I'm familiar with its session tests...
|
Looked at this a bit more, and OpenSSL 1.1.x allows storing a negative session timeout, as noted in the data below:
net/http contains the following code: if @ssl_session and
Process.clock_gettime(Process::CLOCK_REALTIME) < @ssl_session.time.to_f + @ssl_session.timeout
s.session = @ssl_session
end It's been a while since I've reviewed session negotiation, etc, and that was mostly TLSv1.3 & TLSv1.2. I thought timeout was normally associated with cache mechanisms, and hence, used on the server, not the client. The net/http code is using it to determine whether to use the session in a client request, so its use of |
Thank you for digging into this! IIUC OpenSSL 3.2.0 didn't intend to break backwards-compatibility, but setting the timeout value to a negative number doesn't seem like a feature. The SSLeay documentation from 1997 (or even before) suggests that it was actually intended to be
(As with many other accessor functions in SSLeay/OpenSSL, the actual backing field on The current manpages don't say anything about when setting it to zero or a negative value. |
That's about as far I feel comfortable going. I thought maybe throwing an error if the value is set to a negative (and maybe zero) value would be helpful. I can't recall if somewhere in the OpenSSL code I saw something that took a zero value as 'use the default', not sure.
Agreed. But, net/http seems to be making use of it to determine whether to reuse a session. Hence, the PR there that allows it work by using the context (negative) value, then using the session value if the context value is nil. If the context value is positive, it's used as intended. I added a comment that hopefully was clear. I think that made sense... |
JFYI, MSFT/vcpkg just updated to OpenSSL 3.2.0. So, all Windows head builds are using 3.2.0, as MSYS2 previously updated to it. Happy Holidays / Merry Christmas Greg |
I just updated build tools locally, and noticed that all the Ruby head builds are using OpenSSL |
Very recently MSYS2 (Windows ucrt & mingw builds) upgraded their OpenSSL package from OpenSSL 3.1.4 to 3.2.0.
As we've seen, there are issues with a net-http test failing, which is setting
http.ssl_timeout
to -1.A commit in OpenSSL (openssl/openssl@f0131dc) updates
SSL_CTX_set_timeout
inssl/ssl_sess.c
, and the commit only affects 3.2.0.Some of the code seems to imply
uint64_t
for timeout values.Another day where I'm AFK on and off...
The text was updated successfully, but these errors were encountered: