[openssl-dev] SSL_get0_dane_authority() and session reuse
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Jan 23 02:47:14 UTC 2016
> On Jan 22, 2016, at 7:35 PM, Claus Assmann <ca+ssl-dev at esmtp.org> wrote:
>
> SSL_get0_dane_authority() returns -1 on a reused TLS session
> in my test program.
> Is that
> - expected?
> - a problem with my test program?
> - an error in SSL_get0_dane_authority()?
It is expected, but probably should be documented.
With session resumption no server certificates are presented
and accordingly no certificate verification takes place, so
the DANE state remains in its initial unmatched form.
With a re-used session, only the verification state (X509_V_OK
or error value) of the peer certificate is retained in the
session, the chain and DANE state are not retained.
So with resumption enabled, and for re-used sessions check
only the verify result, and skip any attempt to discover the
match depth, TLSA RR values, ... those were available only
with the original session.
Perhaps the example in the manpage should cover this in brief?
--
Viktor.
More information about the openssl-dev
mailing list