On Monday 20 October 2003 17:16, Stefan Rompf wrote: > I've tracked down a number of bugs with SSL session reuse in KDE. I > don't present a complete fixes right now as I see need for additional > discussion. Great!! Thanks for reviewing this.. > a) Session reusage doesn't take client certificates into account > > This one is quite hard to reproduce as konqueror is very conservative in > reusing sessions. It needs a html document that consist of two frames. > One frame must contain a link to reload the other frame. > > While reviewing TCPSlaveBase::doSSLHandShake() I found that openssl > requires setting up the client certificate even if the session can be > reused. So the code is a little "over-optimized" ;-) The following > change helps: I'm not surprised. :-) Client certificates still don't work right in general anyways. I just don't have the time or motivation to fix it yet. > -KSSLCertificateHome is optimized to cache certificates so that > certificatePrompt() runs faster. May be quite intrusive as KDE3.2 alpha > is out, but I'd prefer this That's the only solution IMHO. We have to support this in KSSLD. > b) When session reusage fails and a new session is created by class > KSSL, it won't be saved. Ouch, can you file a bug report against this one please? I can try to fix it over the next week or two. Alternatively if you want to work on and commit fixes to these things, feel free to. > c) Session reusage in konqueror is too conservative > > According to SSL literature (*) one SSL session can be used by multiple > connections in parallel and therefore be adressed by "server:port". > Different to that, konqueror uses new sessions in most cases, but on the > good side this makes a) so hard to trigger ;-) > > I think we should associate SSL sessions application-wide by > "server:port". From the technical side, KDE-wide should be possible, > too, but I wouldn't recommend that for security reasons. Does the book explicitly say if you have a session for server:port, you can use it for all other concurrent or subsequent connections to server:port? > d) Last but not least... > > ...there is a small dangling pointer bug at the end of > certificatePrompt(). Fixing that should not raise too much discussion. Argh stupid me. ;) Fixed... There is one other bug. I notice crashes if the user switches from SSLv2 to or from SSLv3 in the middle of a session. Not too critical IMHO but worth fixing one day. -- George Staikos KDE Developer http://www.kde.org/ Staikos Computing Services Inc. http://www.staikos.net/