KSSL session reuse bugs

Stefan Rompf srompf at isg.de
Wed Oct 22 09:54:35 BST 2003 

Hi,

>   I'm not surprised. :-)  Client certificates still don't work right in 
> general anyways.  I just don't have the time or motivation to fix it yet.

Ok, then I'll work on fixing this. On the first step I'll commit the fix to 
tcpslavebase.cxx, KSSLCertificateHome optimization will follow during next 
two weeks. I prefer a process local certificate cache over KSSLD to avoid the 
additional turnaround time that would be needed for every SSL connection 
otherwise.

> > b) When session reusage fails and a new session is created by class
> > KSSL, it won't be saved.
>
>    Ouch, can you file a bug report against this one please?   I can try to
> fix it over the next week or two.  Alternatively if you want to work on
> and commit fixes to these things, feel free to.

The reason is that KHTMLPart often forgets to set the ssl_session_id metadata 
field so the ID sent to the KIO slave is not updated. I tried to change this 
yesterday and also implemented a cache that would fix problem c, however this 
did not help for IMG-links and http redirects as they are handled without 
enough KHTMLPart interaction.

Right now, I feel tempted to move SSL session handling to KIO::Job, so that we 
have only one transparent implementation for all applications. This is a real 
world benefit, our SMTP server at work f.e. uses TLS and client certificates 
to authorize relaying. I'll keep the list posted on the results.

>    Does the book explicitly say if you have a session for server:port, you
> can 
 use it for all other concurrent or subsequent connections to
> server:port? 

Yes, the author is very clean about this, and also about using host and port 
as key on the client side. You can have multiple connections for a session, 
even in parallel, until the server decides the renegotiate. A client can also 
have multiple sessions to a server.

> There is one other bug.  I notice crashes if the user switches from SSLv2
> to or from SSLv3 in the middle of a session.  Not too critical IMHO but
> worth fixing one day. 

I try to reproduce this when I'm done with the stuff above.

Stefan

-- 
"doesn't work" is not a magic word to explain everything.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1691 bytes
Desc: signature
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20031022/dc8f80b6/attachment.bin>

More information about the kde-core-devel mailing list