http.client: Disable SSL session ID cache

This patch disables the SSL session ID cache for all cURL operations.
This is needed because http.HttpBase's PyOpenSSL implementation does not
currently set a context using SSL_set_session_id_context(3SSL), cURL
tries to re-use the session ID and, according to
SSL_set_session_id_context(3SSL):

 If the session id context is not set on an SSL/TLS server and client
 certificates are used, stored sessions will not be reused but a fatal
 error will be flagged and the handshake will fail.

Ideally, session caching should be either controlled, or disabled in
HttpBase, however PyOpenSSL does not seem to implement
SSL_CTX_set_session_cache_mode nor SSL_CTX_set_session_id_context which
are used for these purposes (it seems that only M2Crypto's SSL module
supports these).

Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Signed-off-by: Michael Hanselmann <hansmi@google.com>
Reviewed-by: Michael Hanselmann <hansmi@google.com>

diff --git a/lib/http/client.py b/lib/http/client.py
index 6745637..8cc4744 100644 (file)
--- a/lib/http/client.py
+++ b/lib/http/client.py
@@ -148,6 +148,10 @@ class _HttpClient(object):
     curl.setopt(pycurl.USERAGENT, http.HTTP_GANETI_VERSION)
     curl.setopt(pycurl.PROXY, "")
 
+    # Disable SSL session ID caching (pycurl >= 7.16.0)
+    if hasattr(pycurl, "SSL_SESSIONID_CACHE"):
+      curl.setopt(pycurl.SSL_SESSIONID_CACHE, False)
+
     # Pass cURL object to external config function
     if curl_config_fn:
       curl_config_fn(curl)