stream-ssl: Set SSL session cache mode to disables.

To enable SSL clients to reconnect with the ovs-testcontoller without being
rejected, one must either set the SSL Session ID flag or disable the
SSL caching. This patch disables the SSL caching/reuse.

In the absence of this fix, the error message from ovs-testcontroller is as
below:

  SSL protocol error: SSL_accept (error:140D9115:SSL
  routines:SSL_GET_PREV_SESSION:session id context uninitialized)

See <https://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html>.

Validation: Tested with ovs-testcontroller, by performing SSL reconnection
with OpenSSL based SSL client.

Signed-off-by: Guru Chaitanya Perakam <gperakam@brocade.com>
Reported-by: Guru Chaitanya Perakam <gperakam@brocade.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

diff --git a/AUTHORS b/AUTHORS
index 018d396..79be45b 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -69,6 +69,7 @@ Gianluca Merlo          gianluca.merlo@gmail.com
 Giuseppe Lettieri       g.lettieri@iet.unipi.it
 Glen Gibb               grg@stanford.edu
 Guolin Yang             gyang@nicira.com
+Guru Chaitanya Perakam  gperakam@Brocade.com
 Gurucharan Shetty       gshetty@nicira.com
 Henry Mai               hmai@nicira.com
 Hao Zheng               hzheng@nicira.com

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 156dd2f..8b063ba 100644 (file)
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -971,6 +971,7 @@ do_ssl_init(void)
     SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
                        NULL);
+    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
 
     return 0;
 }