Discussion:
[asio-users] ssl: session id context uninitialized
Adam Crain
2016-03-12 18:16:20 UTC
Permalink
Hi all,

I'm developing a server which requires client certificate validation.

My server accepts the first connection, and successfully performs the
handshake, and I receive the registered callbacks for each verified
certificate in the chain.

However, the 2nd time a connection is accepted, the handshake callback
returns an error code that serializes to "session id context uninitialized".

Some searching has revealed inconclusive results, but it appears to be
something related to openssl expecting to reuse a previous session. Here's
the accept/handshake code:

https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/TLSServer.cpp#L84

Am I doing this correctly where each ssl::stream shares a single common
ssl::context? Is there an explicit way to disable session caching?

Regards,
Adam
--
J Adam Crain - Partner

<http://www.automatak.com>

PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
Adam Crain
2016-03-15 20:42:33 UTC
Permalink
To anyone wondering, the magic incantation for this error is to use
SSL_OP_NO_TICKET when configuring the context.

"SSL_OP_NO_TICKET Normally clients and servers will, where possible,
transparently make use of RFC4507bis tickets for stateless session
resumption"

I understand why asio::ssl wraps many of the macros in openssl as
constants, but inevitably, you have to resort to the raw openssl APIs
anyway.
Post by Adam Crain
Hi all,
I'm developing a server which requires client certificate validation.
My server accepts the first connection, and successfully performs the
handshake, and I receive the registered callbacks for each verified
certificate in the chain.
However, the 2nd time a connection is accepted, the handshake callback
returns an error code that serializes to "session id context uninitialized".
Some searching has revealed inconclusive results, but it appears to be
something related to openssl expecting to reuse a previous session. Here's
https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/TLSServer.cpp#L84
Am I doing this correctly where each ssl::stream shares a single common
ssl::context? Is there an explicit way to disable session caching?
Regards,
Adam
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
--
J Adam Crain - Partner

<http://www.automatak.com>

PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
Wouter van Kleunen
2016-03-15 21:37:50 UTC
Permalink
Thank you,

i was wondering, I ran into the same issue.
Post by Adam Crain
To anyone wondering, the magic incantation for this error is to use
SSL_OP_NO_TICKET when configuring the context.
"SSL_OP_NO_TICKET Normally clients and servers will, where possible,
transparently make use of RFC4507bis tickets for stateless session
resumption"
I understand why asio::ssl wraps many of the macros in openssl as
constants, but inevitably, you have to resort to the raw openssl APIs
anyway.
Hi all,
I'm developing a server which requires client certificate validation.
My server accepts the first connection, and successfully performs
the handshake, and I receive the registered callbacks for each
verified certificate in the chain.
However, the 2nd time a connection is accepted, the handshake
callback returns an error code that serializes to "session id
context uninitialized".
Some searching has revealed inconclusive results, but it appears
to be something related to openssl expecting to reuse a previous
https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/TLSServer.cpp#L84
Am I doing this correctly where each ssl::stream shares a single
common ssl::context? Is there an explicit way to disable session
caching?
Regards,
Adam
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
asio-users mailing list
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio
Adam Crain
2016-03-16 17:23:14 UTC
Permalink
Wouter, all:

Ok, SSL_OP_NO_TICKET allowed me to accept another connection after the
first one is closed, but I still get this error when I have an active
session and another one is accepted.

Does anyone have any ideas?

Here's the configuration code with SSL_OP_NO_TICKET being set:

https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/SSLContext.cpp#L45

and here's the actual server:

https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/TLSServer.cpp#L36
Post by Wouter van Kleunen
Thank you,
i was wondering, I ran into the same issue.
To anyone wondering, the magic incantation for this error is to use
SSL_OP_NO_TICKET when configuring the context.
"SSL_OP_NO_TICKET Normally clients and servers will, where possible,
transparently make use of RFC4507bis tickets for stateless session
resumption"
I understand why asio::ssl wraps many of the macros in openssl as
constants, but inevitably, you have to resort to the raw openssl APIs
anyway.
Post by Adam Crain
Hi all,
I'm developing a server which requires client certificate validation.
My server accepts the first connection, and successfully performs the
handshake, and I receive the registered callbacks for each verified
certificate in the chain.
However, the 2nd time a connection is accepted, the handshake callback
returns an error code that serializes to "session id context uninitialized".
Some searching has revealed inconclusive results, but it appears to be
something related to openssl expecting to reuse a previous session. Here's
https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/TLSServer.cpp#L84
Am I doing this correctly where each ssl::stream shares a single common
ssl::context? Is there an explicit way to disable session caching?
Regards,
Adam
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
_______________________________________________
Using Asio? List your project athttp://think-async.com/Asio/WhoIsUsingAsio
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
asio-users mailing list
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio
--
J Adam Crain - Partner

<http://www.automatak.com>

PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
Adam Crain
2016-03-17 13:00:30 UTC
Permalink
Ok, I found a solution for this as well, and that's to entirely disable
session caching using:

SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);

I have not tested if SSL_OP_NO_TICKET is no longer required or not.


SSL_CTX_set_session_cache_mode(value.native_handle(), SSL_SESS_CACHE_OFF);

-Adam
Post by Adam Crain
Ok, SSL_OP_NO_TICKET allowed me to accept another connection after the
first one is closed, but I still get this error when I have an active
session and another one is accepted.
Does anyone have any ideas?
https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/SSLContext.cpp#L45
https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/TLSServer.cpp#L36
Post by Wouter van Kleunen
Thank you,
i was wondering, I ran into the same issue.
To anyone wondering, the magic incantation for this error is to use
SSL_OP_NO_TICKET when configuring the context.
"SSL_OP_NO_TICKET Normally clients and servers will, where possible,
transparently make use of RFC4507bis tickets for stateless session
resumption"
I understand why asio::ssl wraps many of the macros in openssl as
constants, but inevitably, you have to resort to the raw openssl APIs
anyway.
Post by Adam Crain
Hi all,
I'm developing a server which requires client certificate validation.
My server accepts the first connection, and successfully performs the
handshake, and I receive the registered callbacks for each verified
certificate in the chain.
However, the 2nd time a connection is accepted, the handshake callback
returns an error code that serializes to "session id context uninitialized".
Some searching has revealed inconclusive results, but it appears to be
something related to openssl expecting to reuse a previous session. Here's
https://github.com/automatak/dnp3/blob/gprs-mem-fix/cpp/libs/src/asiopal/tls/TLSServer.cpp#L84
Am I doing this correctly where each ssl::stream shares a single common
ssl::context? Is there an explicit way to disable session caching?
Regards,
Adam
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
_______________________________________________
Using Asio? List your project athttp://think-async.com/Asio/WhoIsUsingAsio
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
asio-users mailing list
https://lists.sourceforge.net/lists/listinfo/asio-users
_______________________________________________
Using Asio? List your project at
http://think-async.com/Asio/WhoIsUsingAsio
--
J Adam Crain - Partner
<http://www.automatak.com>
PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
--
J Adam Crain - Partner

<http://www.automatak.com>

PGP 4096R/E2984A0C <https://www.automatak.com/keys/jadamcrain.asc> 2013-05-03
Loading...