[Libwebsockets] TLS session cache and reuse, lws_tls_session_new_cb() not executed by BoringSSL
cra at mega.nz
Tue Apr 27 20:39:17 CEST 2021
On 27.04.2021 21:23, Andy Green wrote:
> OK, but it means boringssl is broken?
Yes, this is my understanding so far.
> It sounds like something that should be fixed at boringssl, so it
> follows OpenSSL api promises, IIUI.
True again, it should be fixed at boringssl.
>> - LWS is not notified about the new session, and the old one is
>> not replaced in cache;
> this is just saying stuff depending on the tls lib apis doing what
> they should
Absolutely. The scenario was only given as example, to easily understand
the problem, not to say that LWS is doing anything wrong.
There's nothing wrong with LWS, and a workaround would definitely _not_
solve it. However it would be quick to overcome it (until the problem is
identified in boringssl, then fixed, then webrtc would pick it up, then
the implementation here would upgrade the webrtc version...).
If a code change for LWS that would help with this is not appropriate
(i.e. proposal 2 could make sense with or without this problem, but it's
too late for 4.2-stable), do you have any advice for mitigating this at
LWS level or user code level?
More information about the Libwebsockets