From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id E6A9119E0037 for ; Tue, 8 Dec 2015 21:48:42 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id C15ABB5D8B8 for ; Tue, 8 Dec 2015 22:20:22 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 5B65218CC7B6 for ; Tue, 8 Dec 2015 22:20:23 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 77D14120525; Tue, 8 Dec 2015 22:20:21 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o10.shared.sendgrid.net (o10.shared.sendgrid.net [173.193.132.135]) by neon.ruby-lang.org (Postfix) with ESMTPS id 4CEB8120517 for ; Tue, 8 Dec 2015 22:20:17 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=ebIQuVjLtMe2eoQm9qcJK1hThLw=; b=WD9DBLJuF+1urtjOWF tmt2oNO2zM1bzRxZJdt5iYPPbt0R/bnf4/xnLpxjaz9IA+zfabrUNn1/PNenhRhN 34VGB1GVjuYE6s7oIFEiBqv2blrJojMPZQgf7g6OFf6nPn85/eM2w4OSyNT2vqWy jUGu9L0vrpKtuelqgpC8nBwHE= Received: by filter0642p1mdw1.sendgrid.net with SMTP id filter0642p1mdw1.20696.5666D90A70 2015-12-08 13:20:10.810702322 +0000 UTC Received: from herokuapp.com (ec2-54-211-21-14.compute-1.amazonaws.com [54.211.21.14]) by ismtpd0006p1iad1.sendgrid.net (SG) with ESMTP id T7hYCfU6RmeerCQd-c9vJQ Tue, 08 Dec 2015 13:20:10.931 +0000 (UTC) Date: Tue, 08 Dec 2015 13:20:10 +0000 From: michiel@karnebeek.com To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 46648 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 10398 X-Redmine-Issue-Author: a.holstvoogd X-Redmine-Issue-Assignee: X-Redmine-Sender: mkarnebeek X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS6PJhOucxsXfFgHo8g94mujM/+JoZcZmJpjAB fJkqqOg9tOwmSQ+5GCrNPaUIjQMxOLbjnHYupQlCBu5EWOhJZurpB7abE9UnHXGaIwmx/yRcqxY2xJ RqAVsJRAeatfaVtMt7Jbax/Et/ZHdzsYGXF7+B73YPvlP+TRuOurjtuycg== X-ML-Name: ruby-core X-Mail-Count: 71948 Subject: [ruby-core:71948] [Ruby trunk - Bug #10398] Server Name Indication support broken when reusing a (dead) session X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #10398 has been updated by Michiel Karnebeek. bugs.ruby-lang.org/issues/11401 solves this issue. ---------------------------------------- Bug #10398: Server Name Indication support broken when reusing a (dead) session https://bugs.ruby-lang.org/issues/10398#change-55356 * Author: Arthur Holstvoogd * Status: Open * Priority: Normal * Assignee: openssl * ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- RFC3546 recommend that the client includes the server_name in each client hello message when possible. The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures. This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug. I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out. ## Steps to reproduce When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message. I used the following few lines of code to test: ~~~ uri = URI('https://www.example.com/') req = Net::HTTP::Get.new uri.request_uri con = Net::HTTP.new uri.host, uri.port con.use_ssl = true con.start con.finish con.start # Produces a certificate error if the session is lost by the server ~~~ -- https://bugs.ruby-lang.org/