sessions reuse in openssl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sessions reuse in openssl

Harish Kulkarni
Hello All,

For some experiments i want to stop session re-use in openssl.. is there a way to stop reusing of same session?.

-thanks
harish

Reply | Threaded
Open this post in threaded view
|

Re: sessions reuse in openssl

Viktor Dukhovni
On Wed, Jan 20, 2021 at 08:55:13AM +0530, Harish Kulkarni wrote:

> For some experiments i want to stop session re-use in openssl.. is there a
> way to stop reusing of same session?.

Your question is not sufficiently specific.  Are you looking to not
reuse a session in an client or a server?  Is the server issuing
stateless session tickets or doing fully stateful resumption with
an in memory session cache?  Are you using TLS 1.2 or TLS 1.3?

Post a reasonable level of detail outlining where the decision
to reuse or not reuse the session is going to be made, and how
session resumption is performed when not disabled.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: sessions reuse in openssl

Harish Kulkarni

I am working on memory analysis of openssl. One of the observation is the memory allocated by d2i_X509() API (returned in x) is not being freed after the connection is closed.. and this memory is stored as part of session.. i want to limit number of sessions which we cache for re-use.. or if possible completely avoid session caching.


Using TLS 1.3


-thanks

harish


        x = d2i_X509(NULL, &q, l); //// <<<<<<< memory allocated HERE (HVK)

        if (x == NULL) {

            al = SSL_AD_BAD_CERTIFICATE;

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);

            goto f_err;

        }

        if (q != (p + l)) {

            al = SSL_AD_DECODE_ERROR;

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,

                   SSL_R_CERT_LENGTH_MISMATCH);

            goto f_err;

        }

        if (!sk_X509_push(sk, x)) { ////// STORED IN LIST HERE (HVK)

            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);

            goto err;

        }

        x = NULL;

        nc += l + 3;

        p = q;

    }


    i = ssl_verify_cert_chain(s, sk);

    if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)

#ifndef OPENSSL_NO_KRB5

        && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&

             (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))

#endif                          /* OPENSSL_NO_KRB5 */

        ) {

        al = ssl_verify_alarm_type(s->verify_result);

        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,

               SSL_R_CERTIFICATE_VERIFY_FAILED);

        goto f_err;

    }

    ERR_clear_error();          /* but we keep s->verify_result */


    sc = ssl_sess_cert_new();

    if (sc == NULL)

        goto err;


    if (s->session->sess_cert)

        ssl_sess_cert_free(s->session->sess_cert);

    s->session->sess_cert = sc;


    sc->cert_chain = sk; ///// (HVK) THE CHAIN IS STORED HERE.. as part of session struct.. not freed.

    /*

     * Inconsistency alert: cert_chain does include the peer's certificate,

     * which we don't include in s3_srvr.c

     */

    x = sk_X509_value(sk, 0);

    sk = NULL;


On Wed, Jan 20, 2021 at 10:26 AM Viktor Dukhovni <[hidden email]> wrote:
On Wed, Jan 20, 2021 at 08:55:13AM +0530, Harish Kulkarni wrote:

> For some experiments i want to stop session re-use in openssl.. is there a
> way to stop reusing of same session?.

Your question is not sufficiently specific.  Are you looking to not
reuse a session in an client or a server?  Is the server issuing
stateless session tickets or doing fully stateful resumption with
an in memory session cache?  Are you using TLS 1.2 or TLS 1.3?

Post a reasonable level of detail outlining where the decision
to reuse or not reuse the session is going to be made, and how
session resumption is performed when not disabled.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: sessions reuse in openssl

Viktor Dukhovni
On Wed, Jan 20, 2021 at 11:33:21AM +0530, Harish Kulkarni wrote:

> I am working on memory analysis of OpenSSL.  One of the observation is the
> memory allocated by d2i_X509() API (returned in x) is not being freed after
> the connection is closed.. and this memory is stored as part of session.. I
> want to limit number of sessions which we cache for re-use.. or if possible
> completely avoid session caching.

You still have not explicitly stated whether the issue is server-side or
client-side.  Reading between the lines, it seems to be client-side.
The server certificate is an expectedd part of the session object.  When
you free the session object, the certificate object is also freed.

In OpenSSL, X.509 certificate objects are reference-counted, you also
need to be careful with functions that inspect the server certificate
and increment its reference count as a side-effect.  If you use these,
you need to call X509_free() when the returned certificate is no longer
needed.

There is no automatic client-side session reuse in OpenSSL, so you don't
need to do anything to avoid resuming sessions.  Internal caching of
client-side sessions is off by default.  See the manual page of
SSL_CTX_set_session_cache_mode(3).

--
    Viktor.