[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method

[Jouni Malinen]

On Mon, Jul 27, 2015 at 11:28:09PM +0100, Matt Caswell wrote:
> The master branch implements "security levels". The default security
> level does not allow anon ciphersuites. I suspect this may be your problem.

Indeed. SSL_set_security_level(ssl, 0) for this special EAP-FAST case
resolved this.

> Can you use:
> __owur const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
> 
> and
> 
> int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
> 
> to then call:
> EVP_MD_size(EVP_get_digestbynid(nid));

Thanks! This does indeed work fine and is significantly cleaner design
than the one I had to use with earlier OpenSSL versions.

It looks like things are getting very close to complete now. I was able
to get all EAP-FAST test cases passing with the current snapshot of
1.0.2 and using TLSv1.2. With the current snapshot of the master branch,
there is an issue on the TLS server side, though. All the EAP-FAST peer
functionality worked with the master branch version.

The remaining issue for EAP-FAST server is in the
SSL_set_session_secret_cb() callback not having access to the correct
server_random through SSL_get_server_random(). In earlier OpenSSL
versions, I could fetch this from ssl->s3->server_random. However,
SSL_get_server_random() seems to return some bogus data at this point in
the sequence (_before_ the ServerHello has actually been written). The
correct server_random becomes available later, but that's too late to be
able to derive the correct master_secret in the session secret
callback..

Any idea what could be causing this? Would it be possible to modify the
sequence of operations here in a way that the real server_random were
available through SSL_get_server_random() from the
SSL_set_session_secret_cb() handler on the TLS server side as well as on
the client side (where it seems to work now).

-- 
Jouni Malinen                                            PGP id EFC895FA