#3880: NetSSL_OpenSSL: Support session resumption with TLSv1.3

2025-10-23 00:07:59 +02:00 · 2023-06-06 13:06:02 +02:00
parent a9ad113742
commit 8f764e3505
7 changed files with 58 additions and 25 deletions
--- a/NetSSL_OpenSSL/src/Context.cpp
+++ b/NetSSL_OpenSSL/src/Context.cpp
@@ -15,6 +15,7 @@
 #include "Poco/Net/Context.h"
 #include "Poco/Net/SSLManager.h"
 #include "Poco/Net/SSLException.h"
+#include "Poco/Net/SecureSocketImpl.h"
 #include "Poco/Net/Utility.h"
 #include "Poco/Crypto/OpenSSLInitializer.h"
 #include "Poco/File.h"
@@ -195,6 +196,11 @@ void Context::init(const Params& params)
 		SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
 		SSL_CTX_set_ex_data(_pSSLContext, SSLManager::instance().contextIndex(), this);

+		if (!isForServerUse())
+		{
+			SSL_CTX_sess_set_new_cb(_pSSLContext, &SecureSocketImpl::onSessionCreated);
+		}
+
 		if (!isForServerUse() && params.ocspStaplingVerification)
 		{
 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
--- a/NetSSL_OpenSSL/src/SecureSocketImpl.cpp
+++ b/NetSSL_OpenSSL/src/SecureSocketImpl.cpp
@@ -14,6 +14,7 @@

 #include "Poco/Net/SecureSocketImpl.h"
 #include "Poco/Net/SSLException.h"
+#include "Poco/Net/SSLManager.h"
 #include "Poco/Net/Context.h"
 #include "Poco/Net/X509Certificate.h"
 #include "Poco/Net/Utility.h"
@@ -97,6 +98,7 @@ void SecureSocketImpl::acceptSSL()
 	}
 	SSL_set_bio(_pSSL, pBIO, pBIO);
 	SSL_set_accept_state(_pSSL);
+	SSL_set_ex_data(_pSSL, SSLManager::instance().socketIndex(), this);
 	_needHandshake = true;
 }

@@ -156,6 +158,7 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
 		throw SSLException("Cannot create SSL object");
 	}
 	SSL_set_bio(_pSSL, pBIO, pBIO);
+	SSL_set_ex_data(_pSSL, SSLManager::instance().socketIndex(), this);

 	if (!_peerHostName.empty())
 	{
@@ -169,7 +172,7 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
 	}
 #endif

-	if (_pSession)
+	if (_pSession && _pSession->isResumable())
 	{
 		SSL_set_session(_pSSL, _pSession->sslSession());
 	}
@@ -609,6 +612,7 @@ void SecureSocketImpl::reset()
 	close();
 	if (_pSSL)
 	{
+		SSL_set_ex_data(_pSSL, SSLManager::instance().socketIndex(), nullptr);
 		SSL_free(_pSSL);
 		_pSSL = 0;
 	}
@@ -623,20 +627,7 @@ void SecureSocketImpl::abort()

 Session::Ptr SecureSocketImpl::currentSession()
 {
-	if (_pSSL)
-	{
-		SSL_SESSION* pSession = SSL_get1_session(_pSSL);
-		if (pSession)
-		{
-			if (_pSession && pSession == _pSession->sslSession())
-			{
-				SSL_SESSION_free(pSession);
-				return _pSession;
-			}
-			else return new Session(pSession);
-		}
-	}
-	return 0;
+	return _pSession;
 }


@@ -655,4 +646,17 @@ bool SecureSocketImpl::sessionWasReused()
 }


+int SecureSocketImpl::onSessionCreated(SSL* pSSL, SSL_SESSION* pSession)
+{
+	void* pEx = SSL_get_ex_data(pSSL, SSLManager::instance().socketIndex());
+	if (pEx)
+	{
+		SecureSocketImpl* pThis = reinterpret_cast<SecureSocketImpl*>(pEx);
+		pThis->_pSession = new Session(pSession);
+		return 1;
+	}
+	else return 0;
+}
+
+
 } } // namespace Poco::Net
--- a/NetSSL_OpenSSL/src/Session.cpp
+++ b/NetSSL_OpenSSL/src/Session.cpp
@@ -12,13 +12,8 @@
 //


-#if defined(__APPLE__)
-// Some OpenSSL functions are deprecated in OS X 10.7
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-#endif
-
-
 #include "Poco/Net/Session.h"
+#include <openssl/ssl.h>


 namespace Poco {
@@ -37,4 +32,14 @@ Session::~Session()
 }


+bool Session::isResumable() const
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+	return SSL_SESSION_is_resumable(_pSession) == 1;
+#else
+	return false;
+#endif
+}
+
+
 } } // namespace Poco::Net