[openssl-dev] [openssl.org #4281] [PATCH] Allow downgrading when reusing sessions on client

Fedor Indutny via RT rt at openssl.org
Sun Jan 31 00:04:16 UTC 2016 

When connecting to pool of diverse servers (both TLS1.0 and TLS1.2), a
following scenario may happen:

  1. Connect to TLS1.2 server, receive new session
  2. Store this session
  3. Attempt to reuse it later when connecting to server
  4. Connect to different server from the pool, which speaks only TLS1.0
  5. Get `SSL_R_WRONG_VERSION_NUMBER` error

Expected behavior would be scrapping off the session, and allowing
server to downgrade to supported protocol version the way it would do it
if no client session would be supplied.

This issue was discovered while working on following node.js bug:

https://github.com/nodejs/node/issues/3692
---
 ssl/s3_pkt.c  | 39 +++++++++++++++++++++++++++++++++++++++
 ssl/ssltest.c | 22 +++++++++++++++++++++-
 test/testssl  |  6 ++++++
 3 files changed, 66 insertions(+), 1 deletion(-)

-------------- next part --------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJWrTMxAAoJENcGPM4Zt+iQ+GMQAILay2nyh47kVAv1wV3QBgfw
403IrqpoGqLCklZg0SL7zgce+gfOXMydtqbLbK6wtpFNawLPTkbDvLSVyPyixDwy
56UD+neByBXtIuOSs75qVjmAZcuT5GQMoQlIPrX2zGoaRdJls0w4TCrqcoXTDVlL
4QKbaage+EeymPyadEOKmNX2vZmoLRE+t+cMC5gLAtk7ykpAHMWmEZlwhdryP847
uJA8dI1HjvEDcUJvwSsnZLj/wZSrZcC5+QEVsEba8zlKszFYMalygPBZAneZ6zWT
GOp5oqUEEyXMlZB8VCTZcMIdEx79otpOYURYGwxNU0P6reZngc1syfgZQYYGqZ0s
ohKcWCvbKgZMfI3Vh/LhKVCho0n2G4Uy0k32vOtotmg3zyQjCaUCHdiiWPSiNYDm
BlIunymx2ZvCdIZgy/JnAOE2zXe2Hi9qlw+v6wnNH5xowVQvOf0fOgR/R3qhIdrN
6ZFMDY4Ldq0hOFwplAyQRBJZqnHxA6z43lTr5Uk8mad0kIngciFUjvmaBLpiw0r/
R8FT2uVbpDVHf6HUHGobA4cIWZ4nOYBL/mnOfp81gcG3Sd727dV0/dP0K4nyfbim
aaF5VuM2nZWlLTJZnMNZJYDGm7lM1BhkCuniD/t+ycrAHS9cdoT9H/HvcAIBnmMn
GrIf2pe3UbMmidg/TAtb
=Ci8J
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-downgrading-when-reusing-sessions-on-client.patch
Type: application/octet-stream
Size: 6250 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160131/27effec3/attachment-0001.obj>

More information about the openssl-dev mailing list