[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method

[Viktor Dukhovni]

On Thu, Jul 23, 2015 at 09:22:04PM +0300, Jouni Malinen wrote:

> I used to use SSL_CTX_new(TLSv1_method()) to initialize SSL_CTX for
> various TLS-based EAP methods. This worked fine with EAP-TLS,
> EAP-PEAP, EAP-TTLS, and EAP-FAST. However, it did not allow OpenSSL to
> negotiate TLS v1.1 or v1.2 to be used. Consequently, there seemed to
> be need to change from TLSv1_method() to SSLv23_method() with
> SSL_OP_NO_SSLv2 and SSL_OP_NO_v3. Initially, this seemed to work fine,
> but I found an issue with EAP-FAST peer (i.e., TLS client).

Postfix happily sends session tickets and resuming sessions even
though it is using SSLv23_client_method(), and there is no server-side
session cache (I made sure the client connets to a different server
process between the initial handshake and the resumption, and that
there is no "external" cache configured.)  Output summary:

    $ posttls-finger -lmay -Ldebug -r 10 -c example.org
    posttls-finger: setting up TLS connection to mx1.example.org[192.0.2.1]:25
    posttls-finger: SSL_connect:before/connect initialization
    posttls-finger: SSL_connect:SSLv2/v3 write client hello A
    posttls-finger: SSL_connect:SSLv3 read server hello A
    posttls-finger: SSL_connect:SSLv3 read server key exchange A
    posttls-finger: SSL_connect:SSLv3 read server done A
    posttls-finger: SSL_connect:SSLv3 write client key exchange A
    posttls-finger: SSL_connect:SSLv3 write change cipher spec A
    posttls-finger: SSL_connect:SSLv3 write finished A
    posttls-finger: SSL_connect:SSLv3 flush data
    posttls-finger: SSL_connect:SSLv3 read server session ticket A
    posttls-finger: SSL_connect:SSLv3 read finished A
    posttls-finger: save session [192.0.2.1]:25&8132DFEF2967E661AEDA394357CABF4803EA6915B5AA3750F5C937BEAB39FE1E to memory cache
    posttls-finger: Anonymous TLS connection established to mx1.example.org[192.0.2.1]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
    posttls-finger: Reconnecting after 10 seconds
    posttls-finger: looking for session [192.0.2.1]:25&8132DFEF2967E661AEDA394357CABF4803EA6915B5AA3750F5C937BEAB39FE1E in memory cache
    posttls-finger: reloaded session [192.0.2.1]:25&8132DFEF2967E661AEDA394357CABF4803EA6915B5AA3750F5C937BEAB39FE1E from memory cache
    posttls-finger: SSL_connect:before/connect initialization
    posttls-finger: SSL_connect:SSLv3 write client hello A
    posttls-finger: SSL_connect:SSLv3 read server hello A
    posttls-finger: SSL_connect:SSLv3 read finished A
    posttls-finger: SSL_connect:SSLv3 write change cipher spec A
    posttls-finger: SSL_connect:SSLv3 write finished A
    posttls-finger: SSL_connect:SSLv3 flush data
    posttls-finger: mx1.example.org[192.0.2.1]:25: Reusing old session
    posttls-finger: Anonymous TLS connection established to mx1.example.org[192.0.2.1]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)


The order of events is:

	/* Once only */
	ctx = SSL_CTX_new(SSLv23_client_method());

	/* Per connection */
	ssl = SSL_new(ctx);

	/* Protocol support varies per server, so not set via global context */
	SSL_set_options(...);

	/* restore appropriate session from the client cache */
	session = ... ;
	if (session)
	    SSL_set_session(ssl, session);

	SSL_connect(ssl);

What are you doing to associate a previous session with a new SSL
connection?

-- 
	Viktor.