[openssl-dev] s3_clnt.c changes regarding external pre-shared secret seem to break EAP-FAST

[Brian Smith]

Brian Smith <brian at briansmith.org> wrote:
> Although the RFC4851 (an informational RFC documenting EAP-FAST) does
> not require the server to send the session ticket extension during
> resumption, it is based on RFC4507/RFC5077 (which are on the standards
> track), which *does* require the server to send the extension. So,
> this is a bug in the non-conformant servers, not in the openssl
> client.

Sorry. It seems I am wrong about this. RFC 5077 says "It is also
permissible to have an exchange similar to Figure 3 using the
abbreviated handshake defined in Figure 2 of RFC 4346, where the
client uses the SessionTicket extension to resume the session, but the
server does not wish to issue a new ticket, and therefore does not
send a SessionTicket extension."

AFAICT this means that, even outside of EAP-FAST, it is allowed for
the server to resume a session using a session ticket without sending
the session ticket extension in its ServerHello message.

Also, note that RFC 5077 section 3.4 allows the client to use a
session ticket and an empty session ID to resume a session, instead of
generating a "fake" session ID for the session ticket: "Alternatively,
the client MAY include an empty Session ID in the ClientHello.  In
this case, the client ignores the Session ID sent in the ServerHello
and determines if the server is resuming a session by the subsequent
handshake messages."

If OpenSSL's client code were changed to always use an empty session
ID when attempting resumption using a session ticket, then the
EAP-FAST case wouldn't be different from the general session ticket
resumption case. I think that this is a cleaner approach.

Note that RFC4851 would likely still need to be updated, because TLS
1.3 will most likely remove the ChangeCipherSpec messages, and
RFC4851's recommended resumption detection is based on detecting
ChangeCipherSpec messages.

Cheers,
Brian