[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
Matt Caswell
matt at openssl.org
Wed Aug 5 12:40:25 UTC 2015
On 04/08/15 22:03, Ian McFadries (imcfadri) wrote:
> Sorry for the delayed response, I was away for a week and was able to test the fix today.
>
> The fix did resolve the session ticket issue that I was encountering. However, now I get an error when I am not using the session tickets under the following conditions. I am continuing to investigate.
>
> Create an SSL Session using the context that negotiates the highest available version
> Client hello requests TLS 1.2
> Server responds with server hello using TLS 1.0
> Complete handshake with no problems
> Disconnect session
> Start new session which attempts a fast session resumption
> Client sends Alert 70 (SSL_AD_PROTOCOLVERSION) because SSL struct version contains version 0x303 but message after first message contains version 0x301
Oh. Try this additional patch. By moving the session creation earlier in
the process the session protocol version gets fixed at that earlier
point. Unfortunately we have moved it to a point *before* version
negotiation has completed. This patch just updates the session version
once version negotiation is finished.
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: session-resum-1.0.2.patch
Type: text/x-patch
Size: 1017 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150805/282b5f45/attachment-0001.bin>
More information about the openssl-dev
mailing list