我正在使用 OpenSSL 1.0.2g。在我的客户端中,我想完全禁用 SSL session 恢复(出于测试目的)。
我在连接之前、创建 SSL_CTX 之后执行以下操作:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
但是我在流量捕获中看到的是,我的客户端总是通过发送非空 session ID 来进行 session 重用。服务器确实接受了它。
如何完全禁用 SSL session 恢复?
更多扩展代码片段:
SSL_CTX *ctx = NULL;
ctx = SSL_CTX_new(SSLv23_client_method()))
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_verify_depth(ctx, 0);
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
我做错了什么吗?缺少任何必需的步骤吗?
最佳答案
您正在设置自动重试:
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
根据 documentation :
SSL_MODE_AUTO_RETRY
Never bother the application with retries if the transport is blocking. If a renegotiation take place during normal operation, a SSL_read or SSL_write would return with -1 and indicate the need to retry with SSL_ERROR_WANT_READ. In a non-blocking environment applications must be prepared to handle incomplete read/write operations. In a blocking environment, applications are not always prepared to deal with read/write operations returning without success report. The flag SSL_MODE_AUTO_RETRY will cause read/write operations to only return after the handshake and successful completion.
这意味着自动重新协商将悄然发生,而使用 OpenSSL 库的应用程序不会意识到。请参阅the documentation for SSL_write() :
If the underlying BIO is blocking, SSL_write() will only return, once the write operation has been finished or an error occurred, except when a renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the SSL_CTX_set_mode call.
这种“无声”的重新协商可能可以解释您观察到的行为,如果是这样,不使用SSL_MODE_AUTO_RETRY可能会解决您的问题。
OpenSSL 是一个极其复杂的工具,在我看来,许多选项的行为记录很少。对于一个非常相关的示例,“可以使用 SSL_CTX_set_mode 调用的 SSL_MODE_AUTO_RETRY 标志来控制此行为。” 如何控制? 暗示使用 SSL_MODE_AUTO_RETRY 允许静默重新协商并因此重用 session ,但从未明确说明。
同样,the many options for SSL_CTX_set_session_cache_mode() 之一可能相关:
In order to reuse a session, a client must send the session's id to the server. It can only send exactly one id. The server then either agrees to reuse the session or it starts a full handshake (to create a new session).
A server will lookup up the session in its internal session storage. If the session is not found in internal storage or lookups for the internal storage have been deactivated (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP), the server will try the external storage if available.
所以,确实如此
SSL_SESS_CACHE_OFF
No session caching for client or server takes place.
禁用内部缓存的使用?对我来说,这意味着它不。
关于session - 如何在客户端完全禁用 SSL session 恢复?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39453073/