[openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption
Matt Caswell
matt at openssl.org
Wed Jan 6 06:33:05 UTC 2016
On 06/01/16 06:14, Zi Lin wrote:
> Hi Matt,
>
> thanks for your time. I am glad to see the big efforts done to make
> OpenSSL code better in the master branch (and v1.1.0+). I will find a
> way to start working on the master branch. A quick glance into the
> master branch state machine: the get_prev_session call happens in
> process_message "phase", and dealing with cert_cb happens in
> post_process_message "phase". Moving get_prev_session into
> post_processing_message "phase" seems non trivial as all those cipher
> check are in the process_messaage "phase", depending on resumed
> session.
>
> Further, I see this comment. Can you clarify what that means?
> https://github.com/openssl/openssl/blob/master/ssl/statem/statem_srvr.c#L1150
> Only session ticket and further TLS1.3 session resumption are
> supported in v1.1+?
This comment is in specific reference to SSLv2 backwards compatible
ClientHellos. While support for SSLv2 itself has been removed from
1.1.0, we still accept SSLv2 backward compat ClientHellos. However we
will not allow session resumption in such an instance: if we are
resuming a session then we must have previously negotiated a version >
SSLv2 so it makes no sense for a client to send a backward compat
ClientHello.
Matt
More information about the openssl-dev
mailing list