Merge pull request #225 from cconlon/clientSessionCacheDisable

JSSE: add Security property to disable Java client session cache

Author: JacobBarthelmeh

README.md

@@ -437,6 +437,17 @@ This option can be used to restrict use of the wolfJCE "WKS" KeyStore type
 to help ensure conformance to using FIPS-validated cryptography. Other
 non-wolfJCE KeyStore implementations may not use/consume FIPS validated crypto.
 
+**wolfjsse.clientSessionCache.disabled (String)** - Can be used to disable
+the Java client session cache. Disabling this will cause client-side session
+resumption to no longer resume, making all connections fall back to a full
+handshake. This should be set to the String "true" if you want to disable
+the Java client session cache. This does not need to be set to "enable" the
+cache. The Java client cache is enabled by default.
+
+```
+wolfjsse.clientSessionCache.disabled=true
+```
+
 If there are other Security properties you would like to use with wolfJSSE,
 please contact support@wolfssl.com.
 

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -1407,7 +1407,12 @@ protected synchronized int saveSession() {
                  * maintains session cache at native level. */
                 this.session.setResume();
             }
-            return this.authStore.addSession(this.session);
+            if (WolfSSLUtil.sessionCacheDisabled()) {
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                    "not storing session in cache, cache has been disabled");
+            } else {
+                return this.authStore.addSession(this.session);
+            }
         }
 
         return WolfSSL.SSL_FAILURE;

src/java/com/wolfssl/provider/jsse/WolfSSLUtil.java

@@ -247,6 +247,28 @@ protected static String getRequiredKeyStoreType() {
         return requiredType;
     }
 
+    /**
+     * Return if session cache has been disabled in java.security
+     * with 'wolfjsse.clientSessionCache.disabled' Security property.
+     *
+     * @return true if disabled, otherwise false
+     */
+    protected static boolean sessionCacheDisabled() {
+
+        String disabled =
+            Security.getProperty("wolfjsse.clientSessionCache.disabled");
+
+        if (disabled == null || disabled.isEmpty()) {
+            return false;
+        }
+
+        if (disabled.equalsIgnoreCase("true")) {
+            return true;
+        }
+
+        return false;
+    }
+
     /**
      * Check given KeyStore against any pre-defind requirements for
      * KeyStore use, including the following.

src/test/com/wolfssl/provider/jsse/test/WolfSSLEngineTest.java

@@ -981,55 +981,72 @@ public void testReuseSession()
         SSLEngine client;
         int ret;
 
-        /* create new SSLEngine */
         System.out.print("\tSession reuse");
 
-        this.ctx = tf.createSSLContext("TLS", engineProvider);
-        server = this.ctx.createSSLEngine();
-        client = this.ctx.createSSLEngine("wolfSSL client test", 11111);
-
-        server.setUseClientMode(false);
-        server.setNeedClientAuth(false);
-        client.setUseClientMode(true);
-        ret = tf.testConnection(server, client, null, null, "Test reuse");
-        if (ret != 0) {
-            error("\t\t\t... failed");
-            fail("failed to create engine");
-        }
+        /* wolfjsse.clientSessionCache.disabled could be set in users
+         * java.security file which would cause this test to not work
+         * properly. Save their setting here, and re-enable session
+         * cache for this test */
+        String originalProp = Security.getProperty(
+            "wolfjsse.clientSessionCache.disabled");
+        Security.setProperty("wolfjsse.clientSessionCache.disabled", "false");
 
         try {
-            /* test close connection */
-            tf.CloseConnection(server, client, false);
-        } catch (SSLException ex) {
-            error("\t\t\t... failed");
-            fail("failed to create engine");
-        }
+            /* create new SSLEngine */
+            this.ctx = tf.createSSLContext("TLS", engineProvider);
+            server = this.ctx.createSSLEngine();
+            client = this.ctx.createSSLEngine("wolfSSL client test", 11111);
 
-        server = this.ctx.createSSLEngine();
-        client = this.ctx.createSSLEngine("wolfSSL client test", 11111);
-        client.setEnableSessionCreation(false);
-        server.setUseClientMode(false);
-        server.setNeedClientAuth(false);
-        client.setUseClientMode(true);
-        ret = tf.testConnection(server, client, null, null, "Test reuse");
-        if (ret != 0) {
-            error("\t\t\t... failed");
-            fail("failed to create engine");
-        }
-        try {
-            /* test close connection */
-            tf.CloseConnection(server, client, false);
-        } catch (SSLException ex) {
-            error("\t\t\t... failed");
-            fail("failed to create engine");
-        }
+            server.setUseClientMode(false);
+            server.setNeedClientAuth(false);
+            client.setUseClientMode(true);
+            ret = tf.testConnection(server, client, null, null, "Test reuse");
+            if (ret != 0) {
+                error("\t\t\t... failed");
+                fail("failed to create engine");
+            }
 
-        if (client.getEnableSessionCreation() ||
-            !server.getEnableSessionCreation()) {
-            error("\t\t\t... failed");
-            fail("bad enabled session creation");
+            try {
+                /* test close connection */
+                tf.CloseConnection(server, client, false);
+            } catch (SSLException ex) {
+                error("\t\t\t... failed");
+                fail("failed to create engine");
+            }
+
+            server = this.ctx.createSSLEngine();
+            client = this.ctx.createSSLEngine("wolfSSL client test", 11111);
+            client.setEnableSessionCreation(false);
+            server.setUseClientMode(false);
+            server.setNeedClientAuth(false);
+            client.setUseClientMode(true);
+            ret = tf.testConnection(server, client, null, null, "Test reuse");
+            if (ret != 0) {
+                error("\t\t\t... failed");
+                fail("failed to create engine");
+            }
+            try {
+                /* test close connection */
+                tf.CloseConnection(server, client, false);
+            } catch (SSLException ex) {
+                error("\t\t\t... failed");
+                fail("failed to create engine");
+            }
+
+            if (client.getEnableSessionCreation() ||
+                !server.getEnableSessionCreation()) {
+                error("\t\t\t... failed");
+                fail("bad enabled session creation");
+            }
+
+            pass("\t\t\t... passed");
+
+        } finally {
+            if (originalProp != null && !originalProp.isEmpty()) {
+                Security.setProperty(
+                    "wolfjsse.clientSessionCache.disabled", originalProp);
+            }
         }
-        pass("\t\t\t... passed");
     }
 
     /**