[Libwebsockets] Use of LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT breaks SSL due to lack of session ID

Andy Green andy at warmcat.com
Thu Oct 15 03:04:33 CEST 2015



On 18 June 2015 05:45:26 GMT+09:00, Bruce Perens <bruce at perens.com> wrote:
>Use of LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT will break
>SSL
>and stop serving on the SSL socket.
>
>In the man page for SSL_CTX_set_session_id_context(), it says:
>
>If the session id context is not set on an SSL/TLS server and client
>certificates are used, stored sessions will not be reused but a fatal
>error
>will be flagged and the handshake will fail.
>
>
>Therefore, there must be a call to SSL_CTX_set_session_id_context() in
>the
>code for LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT in ssl.c .
>The
>session context ID may be any unique value, I stuck a random number in
>there.

Thanks, I used the ssl context pointer as the session id, not sureif it needs to be passed externally,but thisis better than what we had.

-Andy

>    Thanks
>
>    Bruce
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Libwebsockets mailing list
>Libwebsockets at ml.libwebsockets.org
>http://ml.libwebsockets.org/mailman/listinfo/libwebsockets




More information about the Libwebsockets mailing list