[Libwebsockets] TLS session cache and reuse, lws_tls_session_new_cb() not executed by BoringSSL
cra at mega.nz
Tue Apr 27 19:05:06 CEST 2021
Caching and reusing TLS sessions for OpenSSL uses
lws_tls_session_new_cb() set with SSL_CTX_sess_set_new_cb()
for noticing when a new session has been negociated.
Unfortunately a more recent BoringSSL version (for reference: the one
used by the latest versions of WebRTC)
is not executing that callback, despite it being correctly set by LWS.
The consequence of this is that a new session is not added to the LWS
This can be worked around in user code, by retrieving the new session in
the lws_callback_function set in lws_protocols,
for reason LWS_CALLBACK_CLIENT_ESTABLISHED, and add it to the cache
there, using lws_tls_session_dump_load().
This works fine the first time, but will not replace an old session
already present in the cache.
Consider the following scenario:
- app starts;
- an old serialized session is loaded into LWS cache;
- LWS attempts to reuse it for a new connection;
- the remote server rejcts the old session and negociates a new one;
- LWS is not notified about the new session, and the old one is not
replaced in cache;
- the workaround kicks in, gets the new session, but the old one is
already present in the cache,
for the same tag, and will not be replaced.
A few alternative options for fully working around the limitation in
1) Change lws_tls_session_dump_load() to always replace the session in
cache (do what lws_tls_session_new_cb() does
The original idea appeared to be correct, of not replacing sessions
in cache with newly loaded ones,
but unfortunately there is no way to force loading a session into cache.
2) Add a new function to drop a session from cache, based on its tag.
This is probably the simplest one.
3) Add a new compile-time symbol, that could be used to wrap the code in
lws_tls_session_dump_load() that checks
for a session being already present in cache.
4) Add an extra argument to lws_tls_session_dump_load(), based on which
it would force replacing a session into cache.
Do any of these sound reasonable?
More information about the Libwebsockets