From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 90A0D1A600EE for ; Wed, 29 Jun 2016 21:42:12 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 677B1B5D91D for ; Wed, 29 Jun 2016 22:16:53 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id 14B8718CC887 for ; Wed, 29 Jun 2016 22:16:54 +0900 (JST) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id CCE9612044E; Wed, 29 Jun 2016 22:16:53 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o10.shared.sendgrid.net (o10.shared.sendgrid.net [173.193.132.135]) by neon.ruby-lang.org (Postfix) with ESMTPS id 8705C12043B for ; Wed, 29 Jun 2016 22:16:50 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=s7dHthyZ68sEBNXpBjY2K3xDQfg=; b=P6b5JodR0eslYW+KAg BJem9Rq9+lAab132YBL12nzQFlF3pV4k2cuGY1zgWFfahNkGEw1KQGyEMy6ycSY7 EZcY93Huw+l61zJyT1daygddVbUI100ahp2zFR4nQnbs0mZqZ3m/oeon71cjNJQH 3fF587GPEkkBluam3F40ypHcY= Received: by filter0429p1mdw1.sendgrid.net with SMTP id filter0429p1mdw1.8269.5773CA306D 2016-06-29 13:16:32.749825979 +0000 UTC Received: from herokuapp.com (ec2-54-80-220-93.compute-1.amazonaws.com [54.80.220.93]) by ismtpd0002p1iad1.sendgrid.net (SG) with ESMTP id 8WfNmFBYREaFiS1Y965DeQ Wed, 29 Jun 2016 13:16:32.703 +0000 (UTC) Date: Wed, 29 Jun 2016 13:16:32 +0000 From: k@rhe.jp To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 50933 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 10398 X-Redmine-Issue-Author: a.holstvoogd X-Redmine-Issue-Assignee: X-Redmine-Sender: rhenium X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS7rvs6jpduUdtHAIox84uqs2HqEbb0dxGV1nY SnJNxxM3hQxn32hNy10AiaktfZMOTFHZwTmKpxozwEmRdk7C3jy+VxLyaGwlYO2HP/2lTqtYiySebL nS4RLOQOFcQiDi7qzZNBvmg5nANSVSKNpl9H X-ML-Name: ruby-core X-Mail-Count: 76202 Subject: [ruby-core:76202] [Ruby trunk Bug#10398][Closed] Server Name Indication support broken when reusing a (dead) session X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #10398 has been updated by Kazuki Yamaguchi. Status changed from Open to Closed This should have been fixed by r52682 (in [Bug #11401], as Michiel suggests), and the root cause was also fixed by r55191 (in [Bug #11724]). ---------------------------------------- Bug #10398: Server Name Indication support broken when reusing a (dead) session https://bugs.ruby-lang.org/issues/10398#change-59418 * Author: Arthur Holstvoogd * Status: Closed * Priority: Normal * Assignee: openssl * ruby -v: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- RFC3546 recommend that the client includes the server_name in each client hello message when possible. The ruby openssl client implementation doesn't send a server_name when it has a session to resume. Normally the server can resume the session and doesn't need the server_name. However if the server for what ever reason does not recognize the session ID, it is unable to determine what certificate to serve. This can cause intermittent failures. This issue surfaced due to broken session_id based persistence in a VMWare load balancer, causing every second connect to fail due to a invalid certificate. (The second connection was load balanced to another server that didn't know the session). Since this might also occur if the server forgets the session more quickly than the client, I think this can be considered a bug. I have tried to figure out how to patch this, but my C knowledge is not sufficient to figure this out. ## Steps to reproduce When monitoring the following code with wireshark, it shows that when reopening a https connection with a session, there is no server_name part included in the message. I used the following few lines of code to test: ~~~ uri = URI('https://www.example.com/') req = Net::HTTP::Get.new uri.request_uri con = Net::HTTP.new uri.host, uri.port con.use_ssl = true con.start con.finish con.start # Produces a certificate error if the session is lost by the server ~~~ -- https://bugs.ruby-lang.org/