[Libwebsockets] TLS session cache and reuse, lws_tls_session_new_cb() not executed by BoringSSL

Catalin Raceanu cra at mega.nz
Tue Apr 27 20:39:17 CEST 2021


On 27.04.2021 21:23, Andy Green wrote:
>
> OK, but it means boringssl is broken?


Yes, this is my understanding so far.


> It sounds like something that should be fixed at boringssl, so it 
> follows OpenSSL api promises, IIUI.


True again, it should be fixed at boringssl.


>>      - LWS is not notified about the new session, and the old one is 
>> not replaced in cache;
>
> this is just saying stuff depending on the tls lib apis doing what 
> they should


Absolutely. The scenario was only given as example, to easily understand 
the problem, not to say that LWS is doing anything wrong.


There's nothing wrong with LWS, and a workaround would definitely _not_ 
solve it. However it would be quick to overcome it (until the problem is 
identified in boringssl, then fixed, then webrtc would pick it up, then 
the implementation here would upgrade the webrtc version...).

If a code change for LWS that would help with this is not appropriate 
(i.e. proposal 2 could make sense with or without this problem, but it's 
too late for 4.2-stable), do you have any advice for mitigating this at 
LWS level or user code level?


Regards,

Catalin




More information about the Libwebsockets mailing list