OVS currently does not support TLS session resumption. The server side session cache is disabled (SSL_SESS_CACHE_OFF) and no session id context is configured. However, clients may still send stateless tickets, causing SSL_accept() to fail with "session id context uninitialized".
Disable stateless session tickets with SSL_OP_NO_TICKET so that clients do not attempt resumption. Signed-off-by: Mykola Yurchenko <[email protected]> --- Version 2: - Use SSL_OP_NO_TICKET instead of SSL_CTX_set_session_id_context() to avoid enabling session resumption. [Ilya Maximets] lib/stream-ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index c8eb26b..9b468e0 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1080,6 +1080,7 @@ do_ssl_init(void) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); SSL_CTX_set_cipher_list(ctx, "DEFAULT:@SECLEVEL=2"); return 0; -- 2.51.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
