KSSL session reuse bugs

George Staikos staikos at kde.org
Tue Oct 21 08:57:24 BST 2003 

On Monday 20 October 2003 17:16, Stefan Rompf wrote:
> I've tracked down a number of bugs with SSL session reuse in KDE. I
> don't present a complete fixes right now as I see need for additional
> discussion.

  Great!! Thanks for reviewing this..

> a) Session reusage doesn't take client certificates into account
>
> This one is quite hard to reproduce as konqueror is very conservative in
> reusing sessions. It needs a html document that consist of two frames.
> One frame must contain a link to reload the other frame.
>
> While reviewing TCPSlaveBase::doSSLHandShake() I found that openssl
> requires setting up the client certificate even if the session can be
> reused. So the code is a little "over-optimized" ;-) The following
> change helps:

  I'm not surprised. :-)  Client certificates still don't work right in 
general anyways.  I just don't have the time or motivation to fix it yet.

> -KSSLCertificateHome is optimized to cache certificates so that
> certificatePrompt() runs faster. May be quite intrusive as KDE3.2 alpha
> is out, but I'd prefer this

  That's the only solution IMHO.  We have to support this in KSSLD.

> b) When session reusage fails and a new session is created by class
> KSSL, it won't be saved.

   Ouch, can you file a bug report against this one please?   I can try to fix 
it over the next week or two.  Alternatively if you want to work on and 
commit fixes to these things, feel free to.

> c) Session reusage in konqueror is too conservative
>
> According to SSL literature (*) one SSL session can be used by multiple
> connections in parallel and therefore be adressed by "server:port".
> Different to that, konqueror uses new sessions in most cases, but on the
> good side this makes a) so hard to trigger ;-)
>
> I think we should associate SSL sessions application-wide by
> "server:port". From the technical side, KDE-wide should be possible,
> too, but I wouldn't recommend that for security reasons.

   Does the book explicitly say if you have a session for server:port, you can 
use it for all other concurrent or subsequent connections to server:port?

> d) Last but not least...
>
> ...there is a small dangling pointer bug at the end of
> certificatePrompt(). Fixing that should not raise too much discussion.

  Argh stupid me. ;)  Fixed...

   There is one other bug.  I notice crashes if the user switches from SSLv2 
to or from SSLv3 in the middle of a session.  Not too critical IMHO but worth 
fixing one day.

-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/

More information about the kde-core-devel mailing list