[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method

Jouni Malinen j at w1.fi
Thu Jul 23 22:46:36 UTC 2015 

On Thu, Jul 23, 2015 at 08:21:11PM +0000, Viktor Dukhovni wrote:
> Postfix happily sends session tickets and resuming sessions even
> though it is using SSLv23_client_method(), and there is no server-side
> session cache (I made sure the client connets to a different server
> process between the initial handshake and the resumption, and that
> there is no "external" cache configured.)  Output summary:

I'd assume this is with the more standard TLS SessionTicket which is not
what EAP-FAST is..

> The order of events is:
> 
> 	/* Once only */
> 	ctx = SSL_CTX_new(SSLv23_client_method());
> 
> 	/* Per connection */
> 	ssl = SSL_new(ctx);
> 
> 	/* Protocol support varies per server, so not set via global context */
> 	SSL_set_options(...);

This is all same..

> 	/* restore appropriate session from the client cache */
> 	session = ... ;
> 	if (session)
> 	    SSL_set_session(ssl, session);
> 
> 	SSL_connect(ssl);

While this is not.

> What are you doing to associate a previous session with a new SSL
> connection?

With EAP-FAST, I don't really have a cached session in this sense for
deriving the keys and information for ClientHello. Instead of
SSL_set_session(), I'm only calling SSL_set_session_ticket_ext() before
SSL_connect() to provide the externally (to OpenSSL) stored
SessionTicket data. With TLSv1_method(), this data goes out in
ClientHello; with SSLv23_method() it does not (only an empty request for
standard session ticket included, not the SessionTicket from EAP-FAST
PAC data).

If I were to store the TLS session during which the EAP-FAST PAC was
provisioned and then issue SSL_set_session() with it here, I would
indeed get abbreviated handshake with that session (non-empty Session ID
in ClientHello), but that's not how EAP-FAST works. The Session ID is
supposed to be empty here and instead of the standard session ticket
mechanism, the keys get from SSL_set_session_secret_cb() registered
callback function which derives the secret in EAP-FAST specific way
(master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
server_random + client_random, 48)).

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the openssl-dev mailing list