From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 1C57F19A02A8 for ; Sun, 13 Sep 2015 11:46:04 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 2DAF6B5D94C for ; Sun, 13 Sep 2015 12:08:06 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 6E07A97A82C for ; Sun, 13 Sep 2015 12:08:07 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 078EE952408 for ; Sun, 13 Sep 2015 12:08:05 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id DF7D81205FD; Sun, 13 Sep 2015 12:08:03 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o2.heroku.sendgrid.net (o2.heroku.sendgrid.net [67.228.50.55]) by neon.ruby-lang.org (Postfix) with ESMTPS id C20D3120503 for ; Sun, 13 Sep 2015 12:07:59 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=1e0gATEkql796w+leG/FJVj5Occ=; b=nHrwFtjEiNb5aUoROm wkkYChOxy0Yz3p/UVk77aReLtFVyhvDtn6uTpXP3CohCnkFZiLySMk3balIdL7vU oVYOhAwW6eA56yEbvCTH25InSIXtWsGQhZPoR62fsjEMmdUvRcWVzrrKbHoML6ld ECkTKGPIJhAmxPj6hXMr/Bi1A= Received: by filter0450p1mdw1.sendgrid.net with SMTP id filter0450p1mdw1.4258.55F4E88A1D 2015-09-13 03:07:54.571233471 +0000 UTC Received: from herokuapp.com (ec2-54-147-54-36.compute-1.amazonaws.com [54.147.54.36]) by ismtpd0003p1iad1.sendgrid.net (SG) with ESMTP id 86_53rRMRZKYc5nwx3Mozg Sun, 13 Sep 2015 03:07:54.594 +0000 (UTC) Date: Sun, 13 Sep 2015 03:07:54 +0000 From: zzak@ruby-lang.org To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 45344 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 10398 X-Redmine-Issue-Author: a.holstvoogd X-Redmine-Issue-Assignee: X-Redmine-Sender: zzak X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS5kck8hGlPdrRtafX/EMG1jluLOZwce9WS7rn Wz7jfRJwiCs6UTvxNWAhfRG/7vsZDOnvsu1be/K1lohOl4hHjQ36xp7rkr6JcGPlAK1+URscR7cJQG QMWczasKpdND0fFjk1dPGouYVJoFaAYMI9/a X-ML-Name: ruby-core X-Mail-Count: 70737 Subject: [ruby-core:70737] [Ruby trunk - Bug #10398] Server Name Indication support broken when reusing a (dead) session X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #10398 has been updated by Zachary Scott. Assignee changed from Martin Bosslet to openssl ---------------------------------------- Bug #10398: Server Name Indication support broken when reusing a (dead) session https://bugs.ruby-lang.org/issues/10398#change-54116 * Author: Arthur Holstvoogd * Status: Open * Priority: Normal * Assignee: openssl * ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- RFC3546 recommend that the client includes the server_name in each client hello message when possible. The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures. This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug. I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out. ## Steps to reproduce When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message. I used the following few lines of code to test: ~~~ uri = URI('https://www.example.com/') req = Net::HTTP::Get.new uri.request_uri con = Net::HTTP.new uri.host, uri.port con.use_ssl = true con.start con.finish con.start # Produces a certificate error if the session is lost by the server ~~~ -- https://bugs.ruby-lang.org/