The session context is used for session callbacks rather than the normal
context, which breaks state lookup when the context has been swapped out
(e.g. for SNI). Since there isn't an accessor for the session context,
we just store an extra reference in the SSL's ex data.
Closes#1115
The job of an SNI callback is typically to swap out the context
associated with an SSL depending on the domain the client is trying to
talk to. Typically, only the callbacks associated with the current
context are used, but this is not the case for the SNI callback.
If SNI is run for a second time on a connection (i.e. in a
renegotiation) and the context was replaced with one that didn't itself
register an SNI callback, the old callback would run but wouldn't be
able to find its state in the context's ex data. To work around this, we
pass the pointer to the callback data directly to the callback to make
sure it's always available. It still lives in ex data to handle the
lifetime management.
Closes#979
I used this as build flags for openssl 1.1.1:
```
/usr/bin/perl ./Configure linux-x86_64 no-shared no-zlib no-psk no-srp no-weak-ssl-ciphers no-idea
```
rust-openssl crashed with this error:
```
Compiling openssl v0.10.10
error[E0433]: failed to resolve. Use of undeclared type or module `CStr`
--> /home/stefan/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-0.10.10/src/ssl/callbacks.rs:386:16
|
386 | let line = CStr::from_ptr(line).to_bytes();
| ^^^^ Use of undeclared type or module `CStr`
error[E0412]: cannot find type `c_char` in this scope
--> /home/stefan/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-0.10.10/src/ssl/callbacks.rs:377:75
|
377 | pub unsafe extern "C" fn raw_keylog<F>(ssl: *const ffi::SSL, line: *const c_char)
| ^^^^^^ did you mean `c_uchar`?
help: possible candidates are found in other modules, you can import them into scope
|
1 | use libc::c_char;
|
1 | use std::os::raw::c_char;
|
error: aborting due to 2 previous errors
Some errors occurred: E0412, E0433.
For more information about an error, try `rustc --explain E0412`.
error: Could not compile `openssl`.
warning: build failed, waiting for other jobs to finish...
```
this patch fixes the problem
The initial session ticket is now sent as part of SSL_accept, so some
tests need to write a single byte through the stream to make sure that
both ends have fully completed to avoid test flakes.
TLSv1.3 cipher suite control has been extracted from the normal cipher
list into a separate method: SslContextBuilder::set_ciphersuites.
Steven Fackler