LISTSERV 16.5 - XROOTD-DEV Archives

What I will do in any case is to try enabling the session cache in production again (once the next release is out) and watch the situation for a few days.

Just as a reminder, that's not going to work if any of the clients want to depend on X.509.

Went down the rabbit hole of how OpenSSL manages sessions. It is possible to serialize the peer chain along with SSL_SESSION object as part of the application-layer data (allowing OpenSSL to continue to manage the cache). Notes:

How to serialize a sequence of X509 objects: https://mta.openssl.org/pipermail/openssl-users/2016-July/004048.html
Setter for the session data: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_ex_data.html
How to add a new extension to SSL_SESSION: https://www.openssl.org/docs/man1.1.1/man3/CRYPTO_get_ex_new_index.html

If I had to guess, it's probably about 2 solid days of development work to put this all together.

Alternately, instead of serializing the peer chain, one could look at serializing the XrdSecEntity itself. That way you wouldn't have to re-verify certificates upon session resumption.

Anyhow, not planning to look too much further here - just wanted to record that it appears to be possible.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1252#issuecomment-661607710", "url": "https://github.com/xrootd/xrootd/issues/1252#issuecomment-661607710", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1