DescriptionUse Separate SSL Session Cache in OTR Mode
Currently Chromium maintains a persistent TLS session cache between OTR and
non-OTR mode. This means that a user can go to https://gmail.com in ordinary
mode, open an incognito window, go to https://gmail.com and Chromium will
use the TLS Session ID from ordinary mode to resume that TLS session.
This patch changes the behaviour as follows:
- TLS Session IDs generated in non-OTR mode are only used in non-OTR mode.
- TLS Session IDs generated in OTR mode are only used in OTR mode.
The patch implements this behavour for Linux, Mac and Windows.
Chromium's OTR profile now has it's own copy of the SSL configuration settings.
If the profile is OTR, a new member of SSLConfig called otr_mode is
set to true. By default, otr_mode is set to false.
On Mac and Linux, if otr_mode is true the phrase "-OTR" is added to the hostname
and port information when constructing the peer_id used to calculate and store
the SSL connection's session ID. This results in a distinct session cache for
SSL connections for each mode.
On Windows an extra bit is added to SSL_VERSION_MASKS. This bitmask defines the
number of CredHandles stored in a CredHandle lookup table. When the SSL connection
belongs to a request made in OTR mode the CredHandle for that connection will be
stored and retrieved from the CredHandle members of the array reserved for OTR
mode.
See also:
https://groups.google.com/group/chromium-extensions/msg/e83920020719a6b2?hl=en
BUG=30877
TEST=https sites perform identically (in particular, https://test-ssev.verisign.com/ and the three pages linked from there)
Patch Set 1 : '' #
Total comments: 3
Messages
Total messages: 13 (0 generated)
|