From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 1E3B117DC1AB for ; Sun, 19 Oct 2014 21:46:53 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 95DDAB5D86D for ; Sun, 19 Oct 2014 21:32:08 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 3878E97A827 for ; Sun, 19 Oct 2014 21:32:11 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0mri8BpaFKf for ; Sun, 19 Oct 2014 21:32:11 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id DC21597A820 for ; Sun, 19 Oct 2014 21:32:10 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id AACB7952439 for ; Sun, 19 Oct 2014 21:32:06 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id A7C781204A4; Sun, 19 Oct 2014 21:31:59 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o2.heroku.sendgrid.net (o2.heroku.sendgrid.net [67.228.50.55]) by neon.ruby-lang.org (Postfix) with ESMTPS id 2BFDD120464 for ; Sun, 19 Oct 2014 21:31:55 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=LQ21MPQEAKQsO2op1Z7Pebgm0Hg=; b=ChApt52KppYGVwz+HU OP0HWRQCaFcRWvokCYfY4aH8SplZiSbzMEfzeG5Gry/wwxA+mLcfSemeO2JObtSj 42HwAYrg525FdCuNie2Sn99bjkuTwbx7yAp6fL0PndqL2ZiIu0Nf2/6bZpsZmHig iGr+dEMedxqog3bnxmR7mphiQ= Received: by filter0012p1mdw1.sendgrid.net with SMTP id filter0012p1mdw1.15677.5443AF375 2014-10-19 12:31:51.539787615 +0000 UTC Received: from herokuapp.com (ec2-54-89-136-34.compute-1.amazonaws.com [54.89.136.34]) by ismtpd-027.iad1.sendgrid.net (SG) with ESMTP id 149286470b4.7c6c.70dd1 for ; Sun, 19 Oct 2014 12:31:51 +0000 (GMT) Date: Sun, 19 Oct 2014 12:31:51 +0000 From: aholstvoogd@gmail.com To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 40115 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 10398 X-Redmine-Issue-Author: a.holstvoogd X-Redmine-Issue-Assignee: MartinBosslet X-Redmine-Sender: a.holstvoogd X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: OOF Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS4K1h97pZ/Px8lYvqLV7xYRXvUOB0PPDtQ3zv1TRDrQgv/rBfW8lUjdYFG6jKfWapQwpLHkx51SaIGGHQACTox4gvxx60u00HIO2dBiK7NX3LfUYRKlwyw5eo3CzmKkxelAAP8/waGCoTVF8ZV1FuiE X-ML-Name: ruby-core X-Mail-Count: 65789 Subject: [ruby-core:65789] [ruby-trunk - Bug #10398] [Open] Server Name Indication support broken when reusing a (dead) session X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #10398 has been reported by Arthur Holstvoogd. ---------------------------------------- Bug #10398: Server Name Indication support broken when reusing a (dead) session https://bugs.ruby-lang.org/issues/10398 * Author: Arthur Holstvoogd * Status: Open * Priority: Low * Assignee: Martin Bosslet * Category: ext/openssl * Target version: current: 2.2.0 * ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- RFC3546 recommend that the client includes the server_name in each client hello message when possible. The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures. This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug. I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out. ## Steps to reproduce When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message. I used the following few lines of code to test: ~~~ uri = URI('https://www.example.com/') req = Net::HTTP::Get.new uri.request_uri con = Net::HTTP.new uri.host, uri.port con.use_ssl = true con.start con.finish con.start # Produces a certificate error if the session is lost by the server ~~~ -- https://bugs.ruby-lang.org/