Closed brong closed 14 years ago
brong
commented
23 years ago From: Larry Greenfield
we should use TLS fast reauthentication stuff. investigate how to give OpenSSL a database to enable this. should work across all services, obviously.
(investigate whether mulberry does this?)
brong
commented
23 years ago From: Ken Murchison
did a little digging... the openssl s_server app reuses sessions using its internal cache, and mod_ssl for Apache uses both the internal cache and an external DBM database to reuse sessions between forked processes
if i new a little bit more about openssl and cyrusdb, i'd try to migrate some of this code
brong
commented
23 years ago Attachment-Id: 20 From: Ken Murchison Type: text/plain File: tls_reuse.patch
TLS session reuse patch (single process only)
brong
commented
23 years ago From: Ken Murchison
Description of previous patch:
I started to get a little more curious, so I put some effort into this. I currently have what I think is a correct implementation for reusing sessions within one process. I have attached a very simple patch which does this in imapd and pop3d for you to browse when you get bored at IETF. The most important thing is to not call SSL_free() in reset(). I have tested this without calling SSL_set_shutdown() and/or SSL_CTX_set_session_id_context() and the code still works, but I think this is just plain dumb luck. All of the server code that I looked at sets the session id and OpenSSL s_server uses the SSL_set_shutdown() call, so I think these should be used even if not entirely necessary.
If this looks harmless, I'll go ahead and commit it.
To test this, I modified the -reconnect feature of OpenSSL s_client so that it goes into "echo" mode for each connection, and I can terminate the connection to the daemon gracefully (via LOGOUT or QUIT). The standard behavior is for s_client to simply close the connection, which causes imapd/pop3d to shutdown and master would have to fork a new one (rendering my current reuse code useless). I can send you the patch if you like.
Next, I'm going to take a closer look at the mod_ssl code and see if I can setup a DB3 database so that sessions can be shared bewteen processes.
brong
commented
23 years ago From: Ken Murchison
just committed 95% correct/complete code. need to check db3 correctness and need to decide how to delete expired session from db
brong
commented
23 years ago From: Ken Murchison
FYI, Netscape Communicator 4.77, OE 5.5 and Outlook 2000 all reuse TLS sessions! Very cool.
brong
commented
23 years ago From: Ken Murchison
Just committed complete working/documented implementation. Needs to be tested on a system using cyrusdb_flat for mailboxes.db.
From: Larry Greenfield Bugzilla-Id: 436 Version: 2.0.x Owner: ken@oceana.com