[openssl-dev] DTLS session resumption with DTLS_ANY_VERSION
Rajeswari K
raji.kotamraju at gmail.com
Tue May 10 17:34:18 UTC 2016
Hello openssl-dev team,
Having query regarding DTLS session resumption when configured SSL_CTX with
DTLS_ANY_VERSION.
When we select SSL_CTX with DTLS_ANY_VERSION, method will be of
DTLS_Server_method(), which will have ssl_ctx->version as 0xFEFD to support
both the versions (i.e. DTLS1.0 and DTLS1.2).
During handshake, we landed on to version DTLS1.0.i.e. s->session->version
holds 0xFEFF.
In order to perform session resumption, we derived new SSL structure from
global ssl_ctx using SSL_new() and tried performing ssl handshake.
With the below logic,
else {
i = ssl_get_prev_session(s, p, j, d + n);
/*
* Only resume if the session's version matches the negotiated
* version.
* RFC 5246 does not provide much useful advice on resumption
* with a different protocol version. It doesn't forbid it but
* the sanity of such behaviour would be questionable.
* In practice, clients do not accept a version mismatch and
* will abort the handshake with an error.
*/
if (i == 1 && s->version == s->session->ssl_version) { /* previous
* session */
s->hit = 1;
} else if (i == -1)
goto err;
else { /* i == 0 */
if (!ssl_get_new_session(s, 1))
goto err;
}
Since s->version is with 0xFEFD and s->session->ssl_version is 0xFEFF, we
always try for new session and wont land on to session resumption though
client has sent the session_id.
Is this intended behaviour? Please clarify.
Thanks,
Rajeswari.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160510/09588982/attachment.html>
More information about the openssl-dev
mailing list