[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
Jouni Malinen
j at w1.fi
Thu Jul 23 22:46:36 UTC 2015
On Thu, Jul 23, 2015 at 08:21:11PM +0000, Viktor Dukhovni wrote:
> Postfix happily sends session tickets and resuming sessions even
> though it is using SSLv23_client_method(), and there is no server-side
> session cache (I made sure the client connets to a different server
> process between the initial handshake and the resumption, and that
> there is no "external" cache configured.) Output summary:
I'd assume this is with the more standard TLS SessionTicket which is not
what EAP-FAST is..
> The order of events is:
>
> /* Once only */
> ctx = SSL_CTX_new(SSLv23_client_method());
>
> /* Per connection */
> ssl = SSL_new(ctx);
>
> /* Protocol support varies per server, so not set via global context */
> SSL_set_options(...);
This is all same..
> /* restore appropriate session from the client cache */
> session = ... ;
> if (session)
> SSL_set_session(ssl, session);
>
> SSL_connect(ssl);
While this is not.
> What are you doing to associate a previous session with a new SSL
> connection?
With EAP-FAST, I don't really have a cached session in this sense for
deriving the keys and information for ClientHello. Instead of
SSL_set_session(), I'm only calling SSL_set_session_ticket_ext() before
SSL_connect() to provide the externally (to OpenSSL) stored
SessionTicket data. With TLSv1_method(), this data goes out in
ClientHello; with SSLv23_method() it does not (only an empty request for
standard session ticket included, not the SessionTicket from EAP-FAST
PAC data).
If I were to store the TLS session during which the EAP-FAST PAC was
provisioned and then issue SSL_set_session() with it here, I would
indeed get abbreviated handshake with that session (non-empty Session ID
in ClientHello), but that's not how EAP-FAST works. The Session ID is
supposed to be empty here and instead of the standard session ticket
mechanism, the keys get from SSL_set_session_secret_cb() registered
callback function which derives the secret in EAP-FAST specific way
(master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
server_random + client_random, 48)).
--
Jouni Malinen PGP id EFC895FA
More information about the openssl-dev
mailing list