[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method

Viktor Dukhovni openssl-users at dukhovni.org
Thu Jul 23 23:09:40 UTC 2015 

On Fri, Jul 24, 2015 at 01:46:36AM +0300, Jouni Malinen wrote:

> I'd assume this is with the more standard TLS SessionTicket which is not
> what EAP-FAST is..

Correct.

> > The order of events is:
> > 
> > 	/* Once only */
> > 	ctx = SSL_CTX_new(SSLv23_client_method());
> > 
> > 	/* Per connection */
> > 	ssl = SSL_new(ctx);
> > 
> > 	/* Protocol support varies per server, so not set via global context */
> > 	SSL_set_options(...);
> 
> This is all same..

Sure.

> > 	/* restore appropriate session from the client cache */
> > 	session = ... ;
> > 	if (session)
> > 	    SSL_set_session(ssl, session);
> > 
> > 	SSL_connect(ssl);
> 
> While this is not.
> 
> > What are you doing to associate a previous session with a new SSL
> > connection?
> 
> With EAP-FAST, I don't really have a cached session in this sense for
> deriving the keys and information for ClientHello. Instead of
> SSL_set_session(), I'm only calling SSL_set_session_ticket_ext() before
> SSL_connect() to provide the externally (to OpenSSL) stored
> SessionTicket data. With TLSv1_method(), this data goes out in
> ClientHello; with SSLv23_method() it does not (only an empty request for
> standard session ticket included, not the SessionTicket from EAP-FAST
> PAC data).

Thanks makes the issue more clear to me, perhaps others were there
already, but I think this context is helpful.

> If I were to store the TLS session during which the EAP-FAST PAC was
> provisioned and then issue SSL_set_session() with it here, I would
> indeed get abbreviated handshake with that session (non-empty Session ID
> in ClientHello), but that's not how EAP-FAST works. The Session ID is
> supposed to be empty here and instead of the standard session ticket
> mechanism, the keys get from SSL_set_session_secret_cb() registered
> callback function which derives the secret in EAP-FAST specific way
> (master_secret = T-PRF(PAC-Key, "PAC to master secret label hash",
> server_random + client_random, 48)).

Any chance you have a standalone test program that works with
TLSv1_client_method(), but not with SSLv23_client_method() (and
SSLv2 disabled).  Such code if added to "make test" might ensure
the problem does not come back after is is fixed.

What would be excellent is a program that is both the client and
the server (talking to itself over a socketpair perhaps, though
that might not be portable to Windows, but perhaps it suffices
for the test to run on Unix-like systems...).

-- 
	Viktor.

More information about the openssl-dev mailing list