> > Squild cache.log complaints about:
> >
> > 2004/03/03 20:53:07| clientNegotiateSSL: Error negotiating SSL
> > connection on FD 17: error:140D9115:SSL
> > routines:SSL_GET_PREV_SESSION:session id context
> uninitialized (1/-1)
>
> This is probably a bug in the Squid SSL implementation or
> misfeature in the version of OpenSSL used.
>
> Probably it helps adding a SSL_CTX_set_session_id_context()
> call to the server-side ssl context. Using a session id
> context based on MD4 of the pid and start time of Squid is
> probably appropriate.
Well, it seems that correct session handling in SSL is not easy. It seems
that 255 sessions are
cached for each SSL_CTX by default, even if the session_id_context is not
set. Thats probably
why mozilla complaints. So I think we have two options here:
1/ Disable SSL session caching by calling SSL_CTX_set_session_cache_mode (
SSL_SESS_CACHE_OFF )
Here is the patch against squid-3.0-PRE3-20040229. I've tested it with
mozilla, explorer and it works.
--- ssl_support.cc.orig 2003-04-20 00:19:45.000000000 +0200
+++ ssl_support.cc 2004-03-04 00:10:06.000000000 +0100
@@ -466,6 +466,9 @@
ERR_error_string(ssl_error, NULL));
}
+ /* No session caching for client or server takes place */
+ SSL_CTX_set_session_cache_mode(sslContext, SSL_SESS_CACHE_OFF);
+
SSL_CTX_set_options(sslContext, ssl_parse_options(options));
if (cipher) {
2/ Enable internal OpenSSL session caching by calling
SSL_CTX_set_session_id_context(). But then it seems
we have to (manually) add each session to the internal OpenSSL cache by
calling SSL_CTX_add_session( ).
See this message
http://groups.google.com/groups?q=SSL_ctx_add_session&hl=en&lr=&ie=UTF-8&oe=
UTF-8&selm=bb6j9v%2423pi%241%40FreeBSD.csie.NCTU.edu.tw&rnum=5
I think I can provide patch for this as well, but lets see what is your
thoughts on this.
Thanks,
David
