merge revision(s) r48563,r46261,r48581: [Backport ruby#10533]

nagachika · nagachika · commit fd87a8aebba9 · 2015-02-17T17:08:26.000Z
* lib/net/http.rb: Do not attempt SSL session resumption when the session is expired. [Bug ruby#10533] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_1@49631 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+Wed Feb 18 00:27:57 2015  Eric Hodel  <drbrain@segment7.net>
+
+	* lib/net/http.rb:  Do not attempt SSL session resumption when the
+	  session is expired.  [Bug #10533]
+
 Wed Feb 18 00:20:36 2015  Eric Wong  <e@80x24.org>
 
 	* vm_eval.c (rb_yield_splat): add missing GC guard
diff --git a/lib/net/http.rb b/lib/net/http.rb
@@ -914,7 +914,10 @@ def connect
             @socket.write(buf)
             HTTPResponse.read_new(@socket).value
           end
-          s.session = @ssl_session if @ssl_session
+          if @ssl_session and
+             Time.now < @ssl_session.time + @ssl_session.timeout
+            s.session = @ssl_session if @ssl_session
+          end
           # Server Name Indication (SNI) RFC 3546
           s.hostname = @address if s.respond_to? :hostname=
           Timeout.timeout(@open_timeout, Net::OpenTimeout) { s.connect }
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
@@ -73,12 +73,45 @@ def test_session_reuse
     http.get("/")
     http.finish # three times due to possible bug in OpenSSL 0.9.8
 
+    sid = http.instance_variable_get(:@ssl_session).id
+
     http.start
     http.get("/")
 
     socket = http.instance_variable_get(:@socket).io
 
     assert socket.session_reused?
+
+    assert_equal sid, http.instance_variable_get(:@ssl_session).id
+
+    http.finish
+  rescue SystemCallError
+    skip $!
+  end
+
+  def test_session_reuse_but_expire
+    http = Net::HTTP.new("localhost", config("port"))
+    http.use_ssl = true
+    http.verify_callback = Proc.new do |preverify_ok, store_ctx|
+      store_ctx.current_cert.to_der == config('ssl_certificate').to_der
+    end
+
+    http.ssl_timeout = -1
+    http.start
+    http.get("/")
+    http.finish
+
+    sid = http.instance_variable_get(:@ssl_session).id
+
+    http.start
+    http.get("/")
+
+    socket = http.instance_variable_get(:@socket).io
+    assert_equal false, socket.session_reused?
+
+    assert_not_equal sid, http.instance_variable_get(:@ssl_session).id
+
+    http.finish
   rescue SystemCallError
     skip $!
   end
diff --git a/version.h b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.1.5"
 #define RUBY_RELEASE_DATE "2015-02-18"
-#define RUBY_PATCHLEVEL 296
+#define RUBY_PATCHLEVEL 297
 
 #define RUBY_RELEASE_YEAR 2015
 #define RUBY_RELEASE_MONTH 2
