* [ruby-core:65789] [ruby-trunk - Bug #10398] [Open] Server Name Indication support broken when reusing a (dead) session
[not found] <redmine.issue-10398.20141019123151@ruby-lang.org>
@ 2014-10-19 12:31 ` aholstvoogd
2015-06-24 8:41 ` [ruby-core:69728] [Ruby trunk - Bug #10398] " aholstvoogd
` (3 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: aholstvoogd @ 2014-10-19 12:31 UTC (permalink / raw)
To: ruby-core
Issue #10398 has been reported by Arthur Holstvoogd.
----------------------------------------
Bug #10398: Server Name Indication support broken when reusing a (dead) session
https://bugs.ruby-lang.org/issues/10398
* Author: Arthur Holstvoogd
* Status: Open
* Priority: Low
* Assignee: Martin Bosslet
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
RFC3546 recommend that the client includes the server_name in each client hello message when possible.
The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures.
This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug.
I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out.
## Steps to reproduce
When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message.
I used the following few lines of code to test:
~~~
uri = URI('https://www.example.com/')
req = Net::HTTP::Get.new uri.request_uri
con = Net::HTTP.new uri.host, uri.port
con.use_ssl = true
con.start
con.finish
con.start # Produces a certificate error if the session is lost by the server
~~~
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:69728] [Ruby trunk - Bug #10398] Server Name Indication support broken when reusing a (dead) session
[not found] <redmine.issue-10398.20141019123151@ruby-lang.org>
2014-10-19 12:31 ` [ruby-core:65789] [ruby-trunk - Bug #10398] [Open] Server Name Indication support broken when reusing a (dead) session aholstvoogd
@ 2015-06-24 8:41 ` aholstvoogd
2015-09-13 3:07 ` [ruby-core:70737] " zzak
` (2 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: aholstvoogd @ 2015-06-24 8:41 UTC (permalink / raw)
To: ruby-core
Issue #10398 has been updated by Arthur Holstvoogd.
Same issue: #10533
----------------------------------------
Bug #10398: Server Name Indication support broken when reusing a (dead) session
https://bugs.ruby-lang.org/issues/10398#change-53109
* Author: Arthur Holstvoogd
* Status: Open
* Priority: Low
* Assignee: Martin Bosslet
* ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
RFC3546 recommend that the client includes the server_name in each client hello message when possible.
The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures.
This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug.
I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out.
## Steps to reproduce
When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message.
I used the following few lines of code to test:
~~~
uri = URI('https://www.example.com/')
req = Net::HTTP::Get.new uri.request_uri
con = Net::HTTP.new uri.host, uri.port
con.use_ssl = true
con.start
con.finish
con.start # Produces a certificate error if the session is lost by the server
~~~
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:70737] [Ruby trunk - Bug #10398] Server Name Indication support broken when reusing a (dead) session
[not found] <redmine.issue-10398.20141019123151@ruby-lang.org>
2014-10-19 12:31 ` [ruby-core:65789] [ruby-trunk - Bug #10398] [Open] Server Name Indication support broken when reusing a (dead) session aholstvoogd
2015-06-24 8:41 ` [ruby-core:69728] [Ruby trunk - Bug #10398] " aholstvoogd
@ 2015-09-13 3:07 ` zzak
2015-12-08 13:20 ` [ruby-core:71948] " michiel
2016-06-29 13:16 ` [ruby-core:76202] [Ruby trunk Bug#10398][Closed] " k
4 siblings, 0 replies; 5+ messages in thread
From: zzak @ 2015-09-13 3:07 UTC (permalink / raw)
To: ruby-core
Issue #10398 has been updated by Zachary Scott.
Assignee changed from Martin Bosslet to openssl
----------------------------------------
Bug #10398: Server Name Indication support broken when reusing a (dead) session
https://bugs.ruby-lang.org/issues/10398#change-54116
* Author: Arthur Holstvoogd
* Status: Open
* Priority: Normal
* Assignee: openssl
* ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
RFC3546 recommend that the client includes the server_name in each client hello message when possible.
The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures.
This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug.
I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out.
## Steps to reproduce
When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message.
I used the following few lines of code to test:
~~~
uri = URI('https://www.example.com/')
req = Net::HTTP::Get.new uri.request_uri
con = Net::HTTP.new uri.host, uri.port
con.use_ssl = true
con.start
con.finish
con.start # Produces a certificate error if the session is lost by the server
~~~
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:71948] [Ruby trunk - Bug #10398] Server Name Indication support broken when reusing a (dead) session
[not found] <redmine.issue-10398.20141019123151@ruby-lang.org>
` (2 preceding siblings ...)
2015-09-13 3:07 ` [ruby-core:70737] " zzak
@ 2015-12-08 13:20 ` michiel
2016-06-29 13:16 ` [ruby-core:76202] [Ruby trunk Bug#10398][Closed] " k
4 siblings, 0 replies; 5+ messages in thread
From: michiel @ 2015-12-08 13:20 UTC (permalink / raw)
To: ruby-core
Issue #10398 has been updated by Michiel Karnebeek.
bugs.ruby-lang.org/issues/11401 solves this issue.
----------------------------------------
Bug #10398: Server Name Indication support broken when reusing a (dead) session
https://bugs.ruby-lang.org/issues/10398#change-55356
* Author: Arthur Holstvoogd
* Status: Open
* Priority: Normal
* Assignee: openssl
* ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
RFC3546 recommend that the client includes the server_name in each client hello message when possible.
The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures.
This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug.
I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out.
## Steps to reproduce
When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message.
I used the following few lines of code to test:
~~~
uri = URI('https://www.example.com/')
req = Net::HTTP::Get.new uri.request_uri
con = Net::HTTP.new uri.host, uri.port
con.use_ssl = true
con.start
con.finish
con.start # Produces a certificate error if the session is lost by the server
~~~
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:76202] [Ruby trunk Bug#10398][Closed] Server Name Indication support broken when reusing a (dead) session
[not found] <redmine.issue-10398.20141019123151@ruby-lang.org>
` (3 preceding siblings ...)
2015-12-08 13:20 ` [ruby-core:71948] " michiel
@ 2016-06-29 13:16 ` k
4 siblings, 0 replies; 5+ messages in thread
From: k @ 2016-06-29 13:16 UTC (permalink / raw)
To: ruby-core
Issue #10398 has been updated by Kazuki Yamaguchi.
Status changed from Open to Closed
This should have been fixed by r52682 (in [Bug #11401], as Michiel suggests), and the root cause was also fixed by r55191 (in [Bug #11724]).
----------------------------------------
Bug #10398: Server Name Indication support broken when reusing a (dead) session
https://bugs.ruby-lang.org/issues/10398#change-59418
* Author: Arthur Holstvoogd
* Status: Closed
* Priority: Normal
* Assignee: openssl
* ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
RFC3546 recommend that the client includes the server_name in each client hello message when possible.
The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures.
This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug.
I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out.
## Steps to reproduce
When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message.
I used the following few lines of code to test:
~~~
uri = URI('https://www.example.com/')
req = Net::HTTP::Get.new uri.request_uri
con = Net::HTTP.new uri.host, uri.port
con.use_ssl = true
con.start
con.finish
con.start # Produces a certificate error if the session is lost by the server
~~~
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-06-29 12:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <redmine.issue-10398.20141019123151@ruby-lang.org>
2014-10-19 12:31 ` [ruby-core:65789] [ruby-trunk - Bug #10398] [Open] Server Name Indication support broken when reusing a (dead) session aholstvoogd
2015-06-24 8:41 ` [ruby-core:69728] [Ruby trunk - Bug #10398] " aholstvoogd
2015-09-13 3:07 ` [ruby-core:70737] " zzak
2015-12-08 13:20 ` [ruby-core:71948] " michiel
2016-06-29 13:16 ` [ruby-core:76202] [Ruby trunk Bug#10398][Closed] " k
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).