Re: PostgreSQL not setting OpenSSL session id context?
Shay Rojansky <roji@roji.org>
From: Shay Rojansky <roji@roji.org>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Heikki Linnakangas <hlinnaka@iki.fi>, pgsql-hackers@postgresql.org
Date: 2017-08-03T05:49:57Z
Lists: pgsql-hackers
One more note: https://github.com/netty/netty/pull/5321/files is an equivalent PR setting the session ID context to a constant value in netty (which is also a server using OpenSSL). This is in line with the documentation on SSL_CTX_set_session_id_context ( https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_session_id_context(3) ): > Sessions are generated within a certain context. When exporting/importing sessions with *i2d_SSL_SESSION*/*d2i_SSL_SESSION* it would be possible, to re-import a session generated from another context (e.g. another application), which might lead to malfunctions. Therefore each application must set its own session id context *sid_ctx* which is used to distinguish the contexts and is stored in exported sessions. The *sid_ctx* can be any kind of binary data with a given length, it is therefore possible to use e.g. the name of the application and/or the hostname and/or service name ...
Commits
-
Disallow SSL session tickets.
- c180d2eb7614 9.2.22 landed
- dda04b9dd1bd 9.3.18 landed
- bebee333c3d2 9.5.8 landed
- b798ea88ac6e 9.6.4 landed
- 97d3a0b0900a 10.0 landed
- 8d05db3d8e0c 9.4.13 landed