[openssl-dev] tls_session_secret_cb method return value
Ian McFadries (imcfadri)
imcfadri at cisco.com
Thu Aug 6 21:18:21 UTC 2015
I am trying to determine if the tls_session_secret_cb return value is used to indicate an unrecoverable error has been encountered
(i.e. bad pointer for data needed to calculate secret) or if it is intended to be an indicator that the session secret is deemed
invalid (EAP-FAST PAC expired resulting in new session therefore determine that secret should not be calculated).
The code I am working on is using the tls_session_secret_cb return value as the latter specified above, and that resulted in our
implementation of EAP-FAST to break when a PAC expires after we picked up release 1.0.1l of OpenSSL. A change was made in s3_clnt.c
ssl3_get_server_hello method at line 889. Previously, if tls_session_secret_cb returned 0 no action was taken, but the change
resulted in SSLErr if tls_session_secret_cb returned 0.
I believe that we should treat the tls_session_secret_cb return value to indicate an unrecoverable error only. Then in the scenario
where the PAC expires, although we would not calculate the secret, it will work fine since the secret will be calculated later in
OpenSSL when servicing the client key exchange.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150806/45e802bd/attachment.html>
More information about the openssl-dev
mailing list