Skip to content

Prevent resumption between "incompatible" clients#2361

Merged
ctz merged 2 commits intomainfrom
jbp-prevent-cross-config-client-resumption
Mar 10, 2025
Merged

Prevent resumption between "incompatible" clients#2361
ctz merged 2 commits intomainfrom
jbp-prevent-cross-config-client-resumption

Conversation

@ctz
Copy link
Member

@ctz ctz commented Feb 28, 2025

"Compatible" here means they have ~interchangeable security, which means they have the same server certificate verifier and same potentially-offered client credentials.

"Same" is defined by Arc equality, which means a rustls user wishing to arrange for multiple ClientConfigs to share a resumption also now need to share the client_auth_cert_resolver and verifier. A non-dangerous function is provided which does this, and also provides a convenient place to document the problem we are solving here.

If we think this is a reasonably-shaped solution to this problem, I will do similar for servers.

fixes #2284

@rustls-benchmarking
Copy link

rustls-benchmarking bot commented Feb 28, 2025
edited
Loading

Benchmark results

Instruction counts

Significant differences

⚠️ There are significant instruction count differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_session_id_aws_lc_rs_1.2_rsa_aes_client 3870895 3896601 ⚠️ 25706 (0.66%) 0.20%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_client 4212889 4239222 ⚠️ 26333 (0.63%) 0.20%
handshake_session_id_ring_1.2_rsa_aes_client 4302072 4327852 ⚠️ 25780 (0.60%) 0.20%
handshake_tickets_ring_1.2_rsa_aes_client 4564994 4590973 ⚠️ 25979 (0.57%) 0.20%

Other differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_server 10705534 10752385 46851 (0.44%) 2.03%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server 1149089 1144734 -4355 (-0.38%) 1.56%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server 1151384 1147090 -4294 (-0.37%) 1.58%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client 8331042 8302106 -28936 (-0.35%) 1.56%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client 8285249 8308786 23537 (0.28%) 1.37%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client 3102401 3096403 -5998 (-0.19%) 0.59%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_client 27794960 27822190 27230 (0.10%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_client 27790527 27817595 27068 (0.10%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_client 27847519 27874577 27058 (0.10%) 0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_client 27854351 27881357 27006 (0.10%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_client 27788207 27815080 26873 (0.10%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_client 28214578 28241644 27066 (0.10%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_client 28221442 28248480 27038 (0.10%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_client 27850290 27876959 26669 (0.10%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_client 28184879 28211839 26960 (0.10%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_client 28191686 28218608 26922 (0.10%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_client 28187820 28214657 26837 (0.10%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_client 28217688 28244543 26855 (0.10%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client 3102417 3099466 -2951 (-0.10%) 0.58%
handshake_session_id_aws_lc_rs_1.2_rsa_aes_server 3872175 3868725 -3450 (-0.09%) 0.20%
handshake_session_id_ring_1.3_rsa_chacha_client 30839323 30866152 26829 (0.09%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_client 30835270 30862056 26786 (0.09%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_client 30832333 30859107 26774 (0.09%) 0.20%
handshake_session_id_ring_1.3_rsa_aes_client 30930553 30957382 26829 (0.09%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_client 30926500 30953286 26786 (0.09%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_client 30923563 30950337 26774 (0.09%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_client 31153928 31180772 26844 (0.09%) 0.20%
handshake_tickets_ring_1.3_rsa_chacha_client 31157930 31184720 26790 (0.09%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_aes_client 31225139 31251983 26844 (0.09%) 0.20%
handshake_tickets_ring_1.3_rsa_aes_client 31229141 31255931 26790 (0.09%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_client 31150673 31177373 26700 (0.09%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_client 31221863 31248563 26700 (0.09%) 0.20%
handshake_no_resume_ring_1.3_ecdsap256_aes_client 3301674 3304234 2560 (0.08%) 0.26%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_server 5019472 5016022 -3450 (-0.07%) 0.20%
handshake_session_id_ring_1.2_rsa_aes_server 4304018 4301258 -2760 (-0.06%) 0.20%
handshake_tickets_ring_1.2_rsa_aes_server 4768742 4765952 -2790 (-0.06%) 0.20%
transfer_no_resume_ring_1.2_rsa_aes_client 58038535 58021701 -16834 (-0.03%) 0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_client 58180298 58163473 -16825 (-0.03%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_client 58136977 58120622 -16355 (-0.03%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_client 58144123 58127838 -16285 (-0.03%) 0.20%
transfer_no_resume_ring_1.3_rsa_aes_client 58147878 58131604 -16274 (-0.03%) 0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_server 28746491 28740919 -5572 (-0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_server 28824921 28819499 -5422 (-0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_server 28827444 28822185 -5259 (-0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_server 28749108 28743914 -5194 (-0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_server 28748923 28743812 -5111 (-0.02%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_client 92673945 92657591 -16354 (-0.02%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_client 92683002 92666713 -16289 (-0.02%) 0.20%
transfer_no_resume_ring_1.3_rsa_chacha_client 92684848 92668562 -16286 (-0.02%) 0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_server 28827348 28822356 -4992 (-0.02%) 0.20%
handshake_session_id_ring_1.3_rsa_chacha_server 31999030 31993720 -5310 (-0.02%) 0.20%
handshake_session_id_ring_1.3_rsa_aes_server 32120650 32115490 -5160 (-0.02%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_server 32001630 31996830 -4800 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_server 32001529 31996759 -4770 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_server 32123250 32118600 -4650 (-0.01%) 0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_server 32123149 32118529 -4620 (-0.01%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_client 1934397 1934150 -247 (-0.01%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_client 1927632 1927400 -232 (-0.01%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_server 30219830 30216409 -3421 (-0.01%) 0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_server 30262486 30259167 -3319 (-0.01%) 0.20%
handshake_tickets_ring_1.3_rsa_chacha_server 32462665 32459155 -3510 (-0.01%) 0.20%
handshake_tickets_ring_1.3_rsa_aes_server 32564590 32561230 -3360 (-0.01%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_server 30265102 30262019 -3083 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_rsa_aes_client 2333813 2333578 -235 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_rsa_chacha_client 2339463 2339228 -235 (-0.01%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_server 30222382 30219398 -2984 (-0.01%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_server 30222312 30219334 -2978 (-0.01%) 0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_server 30265129 30262178 -2951 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client 58239510 58233859 -5651 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client 58237270 58231628 -5642 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_ecdsap256_chacha_client 3305497 3305177 -320 (-0.01%) 0.30%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_client 58241590 58236041 -5549 (-0.01%) 0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server 2064670 2064475 -195 (-0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_server 32465266 32462236 -3030 (-0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_server 32465202 32462232 -2970 (-0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_server 32567146 32564266 -2880 (-0.01%) 0.20%
handshake_tickets_ring_1.3_ecdsap256_aes_server 32567127 32564307 -2820 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_ecdsap256_chacha_server 1297205 1297105 -100 (-0.01%) 0.20%
handshake_no_resume_ring_1.3_ecdsap256_aes_server 1296020 1295927 -93 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client 92702864 92697223 -5641 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client 92700628 92694991 -5637 (-0.01%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_client 92706872 92701313 -5559 (-0.01%) 0.20%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_server 10477785 10478325 540 (0.01%) 1.03%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_server 10688948 10688405 -543 (-0.01%) 1.18%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server 2061638 2061559 -79 (-0.00%) 0.20%
handshake_no_resume_ring_1.2_rsa_aes_client 2245908 2245956 48 (0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_server 7229613 7229503 -110 (-0.00%) 0.20%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_client 1719379 1719403 24 (0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_server 7227650 7227558 -92 (-0.00%) 0.20%
handshake_no_resume_ring_1.2_rsa_aes_server 11000205 11000087 -118 (-0.00%) 0.20%
handshake_no_resume_ring_1.3_rsa_chacha_server 11134362 11134244 -118 (-0.00%) 0.20%
handshake_no_resume_ring_1.3_rsa_aes_server 11128600 11128487 -113 (-0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_client 34743598 34743480 -118 (-0.00%) 0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_client 34741866 34741792 -74 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_server 80645586 80645597 11 (0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_server 46302455 46302459 4 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server 46458944 46458941 -3 (-0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_server 80553341 80553336 -5 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server 80642628 80642623 -5 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_server 46407680 46407682 2 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_server 46461271 46461269 -2 (-0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_server 80548544 80548546 2 (0.00%) 0.20%
transfer_no_resume_ring_1.2_rsa_aes_server 46198577 46198578 1 (0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_aes_server 46292207 46292208 1 (0.00%) 0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_server 46298936 46298937 1 (0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server 80650253 80650252 -1 (-0.00%) 0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server 46465929 46465929 0 (0.00%) 0.20%
transfer_no_resume_ring_1.3_rsa_chacha_server 80541811 80541811 0 (0.00%) 0.20%

Wall-time

Significant differences

⚠️ There are significant wall-time differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_no_resume_aws_lc_rs_1.3_rsa_aes 1.12 ms 1.16 ms ⚠️ 0.04 ms (3.71%) 2.37%
handshake_session_id_aws_lc_rs_1.2_rsa_aes 1.66 ms 1.70 ms ⚠️ 0.04 ms (2.40%) 2.22%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha 1.12 ms 1.14 ms ⚠️ 0.02 ms (2.06%) 1.52%

Other differences

Click to expand
Scenario Baseline Candidate Diff Threshold
handshake_no_resume_aws_lc_rs_1.2_rsa_aes 1.09 ms 1.13 ms 0.04 ms (3.68%) 4.12%
handshake_tickets_aws_lc_rs_1.2_rsa_aes 1.83 ms 1.86 ms 0.04 ms (1.95%) 2.80%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes 5.10 ms 5.19 ms 0.09 ms (1.73%) 5.88%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha 4.35 ms 4.29 ms -0.06 ms (-1.41%) 1.84%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha 4.55 ms 4.49 ms -0.06 ms (-1.40%) 1.59%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes 5.19 ms 5.26 ms 0.07 ms (1.38%) 5.61%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha 5.24 ms 5.17 ms -0.07 ms (-1.30%) 1.57%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha 5.02 ms 4.96 ms -0.06 ms (-1.27%) 1.58%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes 4.38 ms 4.33 ms -0.05 ms (-1.21%) 2.26%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes 456.69 µs 462.05 µs 5.36 µs (1.17%) 4.12%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes 4.58 ms 4.52 ms -0.05 ms (-1.16%) 1.45%
transfer_no_resume_ring_1.3_ecdsap256_aes 5.46 ms 5.52 ms 0.06 ms (1.15%) 5.40%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes 5.06 ms 5.01 ms -0.06 ms (-1.14%) 1.72%
transfer_no_resume_ring_1.3_rsa_aes 5.96 ms 6.02 ms 0.07 ms (1.10%) 5.32%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes 5.26 ms 5.21 ms -0.05 ms (-1.03%) 1.25%
transfer_no_resume_ring_1.2_rsa_aes 5.87 ms 5.92 ms 0.06 ms (0.98%) 4.43%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha 454.82 µs 459.00 µs 4.18 µs (0.92%) 5.20%
handshake_no_resume_ring_1.3_ecdsap256_aes 480.90 µs 485.19 µs 4.29 µs (0.89%) 4.01%
handshake_no_resume_ring_1.3_ecdsap256_chacha 474.58 µs 478.45 µs 3.87 µs (0.82%) 4.55%
transfer_no_resume_ring_1.3_ecdsap384_aes 8.58 ms 8.64 ms 0.06 ms (0.73%) 3.38%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha 13.64 ms 13.73 ms 0.09 ms (0.69%) 1.97%
handshake_session_id_ring_1.3_rsa_chacha 6.04 ms 6.00 ms -0.04 ms (-0.67%) 1.00%
handshake_no_resume_ring_1.2_rsa_aes 964.60 µs 970.98 µs 6.39 µs (0.66%) 1.96%
handshake_session_id_ring_1.3_rsa_aes 6.41 ms 6.37 ms -0.04 ms (-0.63%) 1.00%
handshake_session_id_ring_1.3_ecdsap256_aes 5.91 ms 5.88 ms -0.04 ms (-0.62%) 1.00%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha 5.24 ms 5.21 ms -0.03 ms (-0.62%) 1.31%
handshake_no_resume_ring_1.3_rsa_chacha 975.53 µs 981.56 µs 6.03 µs (0.62%) 2.08%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha 5.03 ms 5.00 ms -0.03 ms (-0.60%) 1.00%
handshake_no_resume_ring_1.3_rsa_aes 975.56 µs 981.42 µs 5.87 µs (0.60%) 2.01%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes 4.52 ms 4.55 ms 0.03 ms (0.60%) 7.05%
handshake_tickets_ring_1.2_rsa_aes 1.66 ms 1.67 ms 0.01 ms (0.58%) 1.88%
handshake_session_id_ring_1.3_ecdsap256_chacha 5.55 ms 5.52 ms -0.03 ms (-0.56%) 1.00%
handshake_tickets_ring_1.3_ecdsap256_aes 5.83 ms 5.80 ms -0.03 ms (-0.53%) 1.00%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes 5.21 ms 5.23 ms 0.03 ms (0.51%) 6.33%
transfer_no_resume_ring_1.3_rsa_chacha 13.46 ms 13.52 ms 0.07 ms (0.50%) 1.92%
transfer_no_resume_ring_1.3_ecdsap256_chacha 12.96 ms 13.03 ms 0.06 ms (0.49%) 2.19%
handshake_tickets_ring_1.3_rsa_aes 6.33 ms 6.30 ms -0.03 ms (-0.48%) 1.00%
handshake_session_id_ring_1.3_ecdsap384_chacha 8.67 ms 8.63 ms -0.04 ms (-0.47%) 1.00%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha 13.64 ms 13.70 ms 0.06 ms (0.44%) 2.01%
transfer_no_resume_ring_1.3_ecdsap384_chacha 16.08 ms 16.15 ms 0.07 ms (0.43%) 1.73%
handshake_session_id_ring_1.3_ecdsap384_aes 9.02 ms 8.99 ms -0.04 ms (-0.41%) 1.00%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha 12.96 ms 13.02 ms 0.05 ms (0.40%) 2.40%
handshake_tickets_ring_1.3_rsa_chacha 6.10 ms 6.08 ms -0.02 ms (-0.36%) 1.04%
handshake_tickets_ring_1.3_ecdsap384_aes 8.94 ms 8.91 ms -0.03 ms (-0.35%) 1.00%
handshake_tickets_ring_1.3_ecdsap256_chacha 5.60 ms 5.59 ms -0.02 ms (-0.29%) 1.00%
handshake_tickets_ring_1.3_ecdsap384_chacha 8.72 ms 8.70 ms -0.02 ms (-0.23%) 1.00%
handshake_tickets_aws_lc_rs_1.3_rsa_aes 5.25 ms 5.23 ms -0.01 ms (-0.23%) 1.37%
handshake_session_id_aws_lc_rs_1.3_rsa_aes 5.05 ms 5.04 ms -0.01 ms (-0.22%) 1.48%
handshake_session_id_ring_1.2_rsa_aes 1.58 ms 1.58 ms 0.00 ms (0.20%) 1.28%
handshake_no_resume_ring_1.3_ecdsap384_aes 3.60 ms 3.61 ms 0.01 ms (0.16%) 1.00%
handshake_no_resume_ring_1.3_ecdsap384_chacha 3.59 ms 3.60 ms 0.00 ms (0.12%) 1.00%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha 1.14 ms 1.14 ms 0.00 ms (0.08%) 1.22%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes 1.15 ms 1.15 ms 0.00 ms (0.07%) 1.78%

Additional information

Historical results

Checkout details:

@ctz ctz force-pushed the jbp-prevent-cross-config-client-resumption branch from ac0df36 to 426d6bf Compare February 28, 2025 15:00
@codecov
Copy link

codecov bot commented Feb 28, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 63.73626% with 33 lines in your changes missing coverage. Please review.

Project coverage is 94.78%. Comparing base (5860d10) to head (42c1d0a).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
rustls/src/client/handy.rs 15.38% 33 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2361      +/-   ##
==========================================
- Coverage   94.90%   94.78%   -0.12%     
==========================================
  Files         103      103              
  Lines       24551    24641      +90     
==========================================
+ Hits        23299    23357      +58     
- Misses       1252     1284      +32

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

djc
djc reviewed Mar 1, 2025
View reviewed changes
@djc
Copy link
Member

djc commented Mar 1, 2025

What about the server? Is there something that prevents similar incompatible resumption issues across server configs?

@ctz
Copy link
Member Author

ctz commented Mar 3, 2025

What about the server? Is there something that prevents similar incompatible resumption issues across server configs?

Yeah I'd probably do the same for ClientCertVerifier and ResolvesServerCert on servers. Deserialized sessions would be free from the equality restrictions.

ctz added 2 commits March 10, 2025 09:00
@ctz
Extend CountingLogger to remember messages too
6baf846
@ctz
Prevent resumption between "incompatible" clients
42c1d0a 
"Compatible" here means they have ~interchangeable security,
which means they have the same server certificate verifier
and same potentially-offered client credentials.

"Same" is defined by `Arc` equality, which means a rustls user
wishing to arrange for multiple `ClientConfig`s to share a
`resumption` _also_ now need to share the
`client_auth_cert_resolver` and `verifier`.  (The way to do this
is to clone-and-edit the original config, or keep hold of the
verifier and insert it using the `dangerous().set_certificate_verifier()`.)
@ctz ctz force-pushed the jbp-prevent-cross-config-client-resumption branch from 426d6bf to 42c1d0a Compare March 10, 2025 09:25
@ctz
Copy link
Member Author

ctz commented Mar 10, 2025

(Plan to address the coverage gaps here shortly.)

@ctz ctz added this pull request to the merge queue Mar 10, 2025
Merged via the queue into main with commit da46c21 Mar 10, 2025
60 of 62 checks passed
@ctz ctz deleted the jbp-prevent-cross-config-client-resumption branch March 10, 2025 15:34
@bartlomieju bartlomieju mentioned this pull request Jul 9, 2025
Open
@ctz ctz mentioned this pull request Oct 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc approved these changes

@cpu cpu cpu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Default to more precise segregation of resumed sessions

3 participants

@ctz @djc @cpu