diff options
author | Todd Short <tshort@akamai.com> | 2016-09-01 08:40:54 -0400 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2017-10-04 10:21:08 +1000 |
commit | a84e5c9aa8e50af2bcb445ab30a0e9c19e72f60b (patch) | |
tree | 590baea962817312a9b3b1007501abc67c34f256 /crypto/err | |
parent | 270a4bba49849de7f928f4fab186205abd132411 (diff) |
Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.
If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).
In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.
If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.
Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
Diffstat (limited to 'crypto/err')
-rw-r--r-- | crypto/err/openssl.txt | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 11a1365f72..58b901965b 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1071,6 +1071,7 @@ SSL_F_SSL_DO_CONFIG:391:ssl_do_config SSL_F_SSL_DO_HANDSHAKE:180:SSL_do_handshake SSL_F_SSL_DUP_CA_LIST:408:SSL_dup_CA_list SSL_F_SSL_ENABLE_CT:402:SSL_enable_ct +SSL_F_SSL_GENERATE_SESSION_ID:547:ssl_generate_session_id SSL_F_SSL_GET_NEW_SESSION:181:ssl_get_new_session SSL_F_SSL_GET_PREV_SESSION:217:ssl_get_prev_session SSL_F_SSL_GET_SERVER_CERT_INDEX:322:* |