[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method

[Ian McFadries (imcfadri)]

I have encountered a problem with EAP-FAST PACs when switching our implementation of OpenSSL from a context that supports TLSv1.0 only to a context that supports negotiation to the highest available TLS version.

For EAP-FAST the PAC opaque is loaded into the SSL tlsext_session_ticket using the SSL_set_session_ticket_ext method during initialization of the SSL connection.

When the SSL context is set using TLSV1_client_method (TLS v1.0), the ssl3_client_hello method is invoked for the client hello message which calls ssl_get_new_session if SSL session is NULL.  The ssl3_client_hello method eventually calls ssl_add_clienthello_tlsext which will initialize the SSL session tlsext_tick structure as long as the SSL structure contains a session that is not NULL.

When the SSL context is set using SSLv23_client_method, the ssl23_client_hello method is invoked for the client hello message which does not call ssl_get_new_session (the call is commented out) before the ssl_add_clienthello_tlsext is called.  In this scenario the SSL session is NULL, so when ssl_add_clienthello_tlsext is called it does not initialize the SSL session tlsext_tick structure.  This results in the EAP-FAST PAC not being loaded into the TLS session ticket extension when using the methods that support negotiation of the highest available SSL/TLS version.

In order for TLS session ticket extension to work with the SSLv23_client_method's it seems that the ssl23_client_hello method should add a new session object to the SSL connection when there is none, similar to what is done in the ssl3_client_hello method.

Ian McFadries
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150723/90b55bfe/attachment-0001.html>