* relation between stores and contexts.
*/
+void
+isc_tlsctx_set_random_session_id_context(isc_tlsctx_t *ctx);
+/*%<
+ * Set context within which session can be reused to a randomly
+ * generated value. This one is used for TLS session resumption using
+ * session IDs. See OpenSSL documentation for
+ * 'SSL_CTX_set_session_id_context()'.
+ *
+ * It might be worth noting that usually session ID contexts are kept
+ * static for an application and particular certificate
+ * combination. However, for the cases when exporting server side TLS
+ * session cache to/loading from external memory is not required, we
+ * might use random IDs just fine. See,
+ * e.g. 'ngx_ssl_session_id_context()' in NGINX for an example of how
+ * a session ID might be obtained.
+ *
+ * Requires:
+ *\li 'ctx' - a valid non-NULL pointer;
+ */
+
void
isc__tls_initialize(void);
REQUIRE(VALID_TLSCTX_CLIENT_SESSION_CACHE(cache));
return (cache->ctx);
}
+
+void
+isc_tlsctx_set_random_session_id_context(isc_tlsctx_t *ctx) {
+ uint8_t session_id_ctx[SSL_MAX_SID_CTX_LENGTH] = { 0 };
+ const size_t len = ISC_MIN(20, sizeof(session_id_ctx));
+
+ REQUIRE(ctx != NULL);
+
+ RUNTIME_CHECK(RAND_bytes(session_id_ctx, len) == 1);
+
+ RUNTIME_CHECK(
+ SSL_CTX_set_session_id_context(ctx, session_id_ctx, len) == 1);
+}
goto tls_error;
}
+ /*
+ * We need to initialise session ID context to make TLS
+ * session resumption work correctly - in particular in
+ * the case when client certificates are used (Mutual
+ * TLS) - otherwise resumption attempts will lead to
+ * handshake failures. See OpenSSL documentation for
+ * 'SSL_CTX_set_session_id_context()', the "Warnings"
+ * section.
+ */
+ isc_tlsctx_set_random_session_id_context(sslctx);
+
/*
* If CA-bundle file is specified - enable client
* certificates validation.
projects / thirdparty / bind9.git / commitdiff
