From 7b70d7a821fa6695412d7779551fb7c8d162bf88 Mon Sep 17 00:00:00 2001 From: Apollon Oikonomopoulos Date: Fri, 15 Oct 2010 08:55:59 +0300 Subject: [PATCH] http.client: Disable SSL session ID cache This patch disables the SSL session ID cache for all cURL operations. This is needed because http.HttpBase's PyOpenSSL implementation does not currently set a context using SSL_set_session_id_context(3SSL), cURL tries to re-use the session ID and, according to SSL_set_session_id_context(3SSL): If the session id context is not set on an SSL/TLS server and client certificates are used, stored sessions will not be reused but a fatal error will be flagged and the handshake will fail. Ideally, session caching should be either controlled, or disabled in HttpBase, however PyOpenSSL does not seem to implement SSL_CTX_set_session_cache_mode nor SSL_CTX_set_session_id_context which are used for these purposes (it seems that only M2Crypto's SSL module supports these). Signed-off-by: Apollon Oikonomopoulos Signed-off-by: Michael Hanselmann Reviewed-by: Michael Hanselmann --- lib/http/client.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/http/client.py b/lib/http/client.py index 6745637..8cc4744 100644 --- a/lib/http/client.py +++ b/lib/http/client.py @@ -148,6 +148,10 @@ class _HttpClient(object): curl.setopt(pycurl.USERAGENT, http.HTTP_GANETI_VERSION) curl.setopt(pycurl.PROXY, "") + # Disable SSL session ID caching (pycurl >= 7.16.0) + if hasattr(pycurl, "SSL_SESSIONID_CACHE"): + curl.setopt(pycurl.SSL_SESSIONID_CACHE, False) + # Pass cURL object to external config function if curl_config_fn: curl_config_fn(curl) -- 1.7.10.4