From 4e8548e80e12ee73db77417ea159c58751bf4b06 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 5 Jul 2018 14:40:39 +0100 Subject: Introduce the recv_max_early_data setting Previoulsy we just had max_early_data which controlled both the value of max early_data that we advertise in tickets *and* the amount of early_data that we are willing to receive from clients. This doesn't work too well in the case where we want to reduce a previously advertised max_early_data value. In that case clients with old, stale tickets may attempt to send us more early data than we are willing to receive. Instead of rejecting the early data we abort the connection if that happens. To avoid this we introduce a new "recv_max_early_data" value. The old max_early_data becomes the value that is advertised in tickets while recv_max_early_data is the maximum we will tolerate from clients. Fixes #6647 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6655) --- util/libssl.num | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'util/libssl.num') diff --git a/util/libssl.num b/util/libssl.num index df6a71e1b5..9b6d266144 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -492,3 +492,7 @@ SSL_get_num_tickets 492 1_1_1 EXIST::FUNCTION: SSL_CTX_set_num_tickets 493 1_1_1 EXIST::FUNCTION: SSL_CTX_set_allow_early_data_cb 494 1_1_1 EXIST::FUNCTION: SSL_set_allow_early_data_cb 495 1_1_1 EXIST::FUNCTION: +SSL_set_recv_max_early_data 496 1_1_1 EXIST::FUNCTION: +SSL_get_recv_max_early_data 497 1_1_1 EXIST::FUNCTION: +SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION: +SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION: -- cgit v1.2.3