[openssl-dev] Minor bug in custom TLS extensions

Fri Aug 28 00:00:03 UTC 2015

It's not really a bug. The behaviour upon resumption is extension-specific.
Most extensions are only needed for establishing the session; they're
ignored during resumption, and aren't stored in the session state. So it's
rather that the custom extensions API doesn't support stateful extensions.

A client should (SHOULD) always repeat extensions on resumption though, as
it can't know whether the resumption will be accepted.

Do you have a specific example where you need to save custom extension
state? We can think about extending the API, even though I imagine that
anything that does need to keep state will be too complex and hairy to be
handled by the generic extension mechanism.

Cheers,
Emilia

On Tue, Aug 25, 2015 at 7:26 PM, Bill Cox <waywardgeek at google.com> wrote:

> This seems like a bug to me:
>
>         /*
>          * If this ClientHello extension was unhandled and this is a
>          * nonresumed connection, check whether the extension is a custom
>          * TLS Extension (has a custom_srv_ext_record), and if so call the
>          * callback and record the extension number so that an appropriate
>          * ServerHello may be later returned.
>          */
>         else if (!s->hit) {
>             if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
>                 return 0;
>         }
>
> This is in t1_lib.c, in function ssl_scan_clienthello_tlsext.  It looks
> like the check for !s->hit will cause the server to ignore all custom
> extensions on resumed sessions.  At the same time, we do not have a
> mechanism for saving custom extension state in the session.  As a result,
> the server will lose all knowledge of the existence of a custom extension
> after resumption.  Some extensions are only needed during the initial
> handshake, but others set state on the connection that should persist.
> Also, there seems to be no code to keep the client from sending custom
> extensions on resumption, so when OpenSSL talks to OpenSSL with identical
> custom extensions, we're sending TLS extensions on resumption which are
> ignored by the server.
>
> I think the one-line fix is to change the "else if (!s->hit) {" to "else
> {".  Would you guys agree?
>
> Any existing custom extensions that depend on the old behavior need to
> check SSL_session_reused(ssl) to disable custom TLS extensions on
> resumption.  On the positive side, this will reduce the current overhead
> caused by the client sending these extensions on resumption.
>
> Thanks,
> Bill
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150828/8432a1f8/attachment-0001.html>