[openssl-dev] EAP-FAST and OpenSSL 1.1.x with new client TLS state machine
Matt Caswell
matt at openssl.org
Fri Dec 4 10:27:48 UTC 2015
On 03/12/15 23:09, Jouni Malinen wrote:
> Any idea what happened with these OpenSSL client state machine changes
> and how to get this fixed to restore EAP-FAST functionality?
EAP-FAST is very strange. Normally you know whether you are resuming a
session or not based on the session id returned from the server. However
that's not the case with EAP-FAST - you have to wait to see what message
the server sends you next to determine what's happening (which is really
horrible).
The new state machine code waits until a message is received from the
peer and then checks it against its allowed list of transitions based on
its current state. If its not allowed then you get an unexpected message
alert. It looks like the check for the EAP-FAST session resumption case
is missing from the new code.
Please can you try the attached patch and see if that resolves the
issue? Let me know how you get on.
Thanks
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-eap-fast.patch
Type: text/x-patch
Size: 1687 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151204/24fad6c1/attachment.bin>
More information about the openssl-dev
mailing list