Client-side SSL_SESSION not working after SSL_free() or SSL_set_session(ssl, NULL)

[tiran]

With OpenSSL 1.1.0 I can no longer copy SSL_SESSION from one client-side connection to another

Pseudo-code:

ctx = SSL_CTX_new(TLSv1_2_method())
ssl1 = SSL_new(ctx)
// connect and perform handshake
sess = SSL_get1_session(ssl1);
SSL_shutdown(ssl1)
SSL_free(ssl1)

ssl2 = SSL_new(ctx)
SSL_set_session(ssl2, sess)
// connect and perform handshake

This approach works perfectly fine in OpenSSL 1.0.2 and earlier. I'm using it in my patch for Python 3.6
https://bugs.python.org/issue19500. With OpenSSL 1.1.0 the feature is broken. Wireshark shows that the second connection does not send a session id and session id length of 0. PyOpenSSL is also affected, pyca/pyopenssl#528

Session resumption works correctly when I either

• delay or omit SSL_free() calls
• dump the session with PEM_write_bio_SSL_SESSION and reload it with PEM_read_bio_SSL_SESSION.

As soon as I use SSL_set_session(ssl, NULL) or SSL_free(ssl) with an SSL object, its session can no longer be used to resume another client session.

[richsalz]

It seems to me that this is working correctly; releasing the SSL object should release its session, too. Can you do SSL_SESSION_up_ref() before the SSL_free and then do SSL_SESSION_free after you've given it to the new SSL object?

[davidben]

SSL_get1_session will already hand the caller a reference. (It's SSL_get_session and SSL_get0_session that give a non-owning one.) Without having looked into it, my guess would be perhaps a regression around the ssl_clear_bad_session and not_resumable logic.

[tiran]

@davidben, sounds plausible. I installed a remove_session_cb to debug the issue. It shows that SSL_free() clears my session object although I own a reference from SSL_get1_session().

[mattcaswell]

Hmmm....I recently added a whole bunch of session tests in sslapitest.c...but not for this apparently :-(

[davidben]

@tiran I'm not able to reproduce this with a quick test program on my end. Are you sure that pseudocode is accurate?

Glancing through the code, I don't see a way for this to happen. For SSL_free to drop the session, ssl_clear_bad_session has a ton of preconditions, notably !(s->shutdown & SSL_SENT_SHUTDOWN). However, SSL_shutdown calls into ssl3_shutdown which always[*] ends up flagging SSL_SENT_SHUTDOWN, and your pseudocode doesn't include anything between SSL_shutdown and SSL_free.

[*] Unless s->handshake_func is NULL, SSL_in_init(s), or maybe SSL_MODE_ASYNC. But you say you've completed a handshake, so the first is impossible. You don't set SSL_MODE_ASYNC. And if SSL_in_init(s) were true (which if can't if you've completed the handshake), ssl_clear_bad_session wouldn't do anything.

Perhaps you could put together a working minimal C or C++ program that does what Python is doing here and still repros?

[tiran]

@davidben I'm still able to reproduce the issue with 1.1.0a and Python 3.6.0b1 when I disable my workaround _ssl_session_dup() for 1.1.0. Python does neither use handshake_func nor SSL_MODE_ASYNC. I'll try to find some time to create a minimal reproducer. It may take a while, though.

Steps to reproduce with Python:

• hg clone https://hg.python.org/cpython/
• modify Modules/_ssl.c and add SSL_SESSION_up_ref(session); return session; to the top of _ssl_session_dup() around line 2355.
• set CPPFLAGS=-Ipath/to/include LDFLAGS=-Lpath/to/lib LD_RUN_PATH=path/to/lib to compile Python with OpenSSL 1.1.0a
• run ./configure && make
• run tests with ./python -m test -v test_ssl

[levitte]

Ping?

[tiran]

@levitte I haven't looked into the issue for a while. I'm abroad until the end of the week. Next week I should have some time to give it another shot.

[levitte]

Fine by me :-)

[davidben]

FYI, I poked at this briefly and don't see any evidence that SSL_shutdown is being called by Python. It seems the pseudocode in the bug report is wrong and this is a Python bug.

(That is, if you believe that OpenSSL should drop sessions if one does not call SSL_shutdown. We actually removed that behavior as it mostly causes problems and, as seen here, doesn't work when the caller round-trips through serialization.)

[davidben]

And confirmed. The immediate trigger was e4612d0, but it just completed a long chain of silliness:

• Python's test never calls SSL_shutdown, in any OpenSSL version. In principle, OpenSSL requires one do that for session caching to work. This is the ssl_clear_bad_session logic. That session caching worked at all in Python was a huge accident. (Separately, one might argue that this SSL_shutdown requirement in OpenSSL is unreasonable and should be removed.)
• On the server, I believe tickets save Python from ssl_clear_bad_session. ssl_clear_bad_session fundamentally cannot work with stateless resumption.
• Python never sets SSL_SESS_CACHE_CLIENT, off by default. One might think this means that client session caching doesn't work, but it just disables the internal session cache (more-or-less useless for a client) and the callback. Rather, Python uses SSL_get_session which works independent of that bit. (Note this will not work in TLS 1.3, so Python should switch to the callback. See discussion here.)
• Prior to e4612d0, not_resumable only got set if the client session was found in the internal session cache, one of the few places it isn't a no-op on the client. Because Python never put anything in the internal session cache, that codepath was never triggered and ssl_clear_bad_session didn't actually work. e4612d0 changed that and now the dominos are all lined up.

[mattcaswell]

As per comment above this seems to be a python issue. Closing this.