From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 50D251960042 for ; Wed, 24 Jun 2015 17:17:55 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id C4894B5D9C4 for ; Wed, 24 Jun 2015 17:41:55 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id CFCC097A839 for ; Wed, 24 Jun 2015 17:41:57 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bvti1-ED2ohf for ; Wed, 24 Jun 2015 17:41:57 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 940F497A832 for ; Wed, 24 Jun 2015 17:41:57 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 5873595243A for ; Wed, 24 Jun 2015 17:41:55 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id C587A120451; Wed, 24 Jun 2015 17:41:55 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o2.heroku.sendgrid.net (o2.heroku.sendgrid.net [67.228.50.55]) by neon.ruby-lang.org (Postfix) with ESMTPS id ABC7912044A for ; Wed, 24 Jun 2015 17:41:52 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=Ff24L3QX7H0HOKvK3zz8eMJc8es=; b=R0tHCehTIWIUQrTOOZ 6Qarp+9P1ZCGLZwvB0W/FwMgCij718eElcVOkEyJMvtOUmlKMxRnP5u0UNBOvuYn HYQFWDPJJKcHGS1qw0nDJMwv1T2vekoyHKOlCUZoPQEgWCuCGfOFbuIwGCJbxKyb gtNn4PDTnbxuSMQiEeEH0ks8Y= Received: by filter0481p1mdw1.sendgrid.net with SMTP id filter0481p1mdw1.18427.558A6D4D3 2015-06-24 08:41:49.282034282 +0000 UTC Received: from herokuapp.com (ec2-54-159-217-206.compute-1.amazonaws.com [54.159.217.206]) by ismtpd-002 (SG) with ESMTP id 14e24baeede.6c53.2d5c6e Wed, 24 Jun 2015 08:41:47 +0000 (UTC) Date: Wed, 24 Jun 2015 08:41:47 +0000 From: aholstvoogd@gmail.com To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 44300 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 10398 X-Redmine-Issue-Author: a.holstvoogd X-Redmine-Issue-Assignee: MartinBosslet X-Redmine-Sender: a.holstvoogd X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS7GEoeFNPWEklHMEcRQ+ZAccEddpvV6cQ0/u3 rB8F5ZFYKzfLTn7HAki8XAsfVHVSAJ+ZCVuZz6Is6jNptMW/QURvtLaWY1kkacinb9DhgCcbDhig2z 12W4Nj6MdMg3z7OiLsauFde2V6AJUt550bG7 X-ML-Name: ruby-core X-Mail-Count: 69728 Subject: [ruby-core:69728] [Ruby trunk - Bug #10398] Server Name Indication support broken when reusing a (dead) session X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #10398 has been updated by Arthur Holstvoogd. Same issue: #10533 ---------------------------------------- Bug #10398: Server Name Indication support broken when reusing a (dead) session https://bugs.ruby-lang.org/issues/10398#change-53109 * Author: Arthur Holstvoogd * Status: Open * Priority: Low * Assignee: Martin Bosslet * ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- RFC3546 recommend that the client includes the server_name in each client hello message when possible. The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures. This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug. I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out. ## Steps to reproduce When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message. I used the following few lines of code to test: ~~~ uri = URI('https://www.example.com/') req = Net::HTTP::Get.new uri.request_uri con = Net::HTTP.new uri.host, uri.port con.use_ssl = true con.start con.finish con.start # Produces a certificate error if the session is lost by the server ~~~ -- https://bugs.ruby-lang.org/