Do not permit stateless session resumption is session IDs mismatch.

author: Dr. Stephen Henson <steve@openssl.org> 2008-04-29 17:22:01 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2008-04-29 17:22:01 +0000
commit: 8831eb7624992ded000310586c99cf6f226a6e19 (patch)
tree: f4b69a5784651f99e9a6c29d5c250563b1ad0b0c /ssl/s3_clnt.c
parent: 3c8f315021499e1a7289a16e167a134e62c88297 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 7b3eb7ab02..648488b063 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2686,7 +2686,11 @@ static int ssl3_check_finished(SSL *s)
 	{
 	int ok;
 	long n;
-	if (!s->session->tlsext_tick)
+	/* If we have no ticket or session ID is non-zero length (a match of
+	 * a non-zero session length would never reach here) it cannot be a
+	 * resumed session.
+	 */
+	if (!s->session->tlsext_tick || s->session->session_id_length)
 		return 1;
 	/* this function is called when we really expect a Certificate
 	 * message, so permit appropriate message length */
author	Dr. Stephen Henson <steve@openssl.org>	2008-04-29 17:22:01 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2008-04-29 17:22:01 +0000
commit	8831eb7624992ded000310586c99cf6f226a6e19 (patch)
tree	f4b69a5784651f99e9a6c29d5c250563b1ad0b0c /ssl/s3_clnt.c
parent	3c8f315021499e1a7289a16e167a134e62c88297 (diff)