[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Fri Jul 6 22:44:42 UTC 2018
The branch master has been updated
via c9d6fdd6f79c1725215347ad8409b1e60eaccf0c (commit)
from 0edb109f97c1bbbd5961326f93b2ccf385b26674 (commit)
- Log -----------------------------------------------------------------
commit c9d6fdd6f79c1725215347ad8409b1e60eaccf0c
Author: Matt Caswell <matt at openssl.org>
Date: Fri Jul 6 09:16:51 2018 +0100
Don't fail if the PSK identity doesn't match
In 1.1.0 s_server if the PSK identity doesn't match what we have then
a warning is printed and we continue the connection anyway. In 1.1.1,
if TLSv1.3 is used and the identity doesn't match then we abort the
connection. We should really be consistent with the old behaviour.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6659)
-----------------------------------------------------------------------
Summary of changes:
apps/s_server.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index 4e8a9e2..94c1826 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -192,8 +192,11 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
const SSL_CIPHER *cipher = NULL;
if (strlen(psk_identity) != identity_len
- || memcmp(psk_identity, identity, identity_len) != 0)
- return 0;
+ || memcmp(psk_identity, identity, identity_len) != 0) {
+ BIO_printf(bio_s_out,
+ "PSK warning: client identity not what we expected"
+ " (got '%s' expected '%s')\n", identity, psk_identity);
+ }
if (psksess != NULL) {
SSL_SESSION_up_ref(psksess);
More information about the openssl-commits
mailing list