diff options
| author | Todd Short <tshort@akamai.com> | 2016-09-01 08:40:54 -0400 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2017-10-04 10:21:08 +1000 |
| commit | a84e5c9aa8e50af2bcb445ab30a0e9c19e72f60b (patch) | |
| tree | 590baea962817312a9b3b1007501abc67c34f256 /test/ssl_test_ctx_test.c | |
| parent | 270a4bba49849de7f928f4fab186205abd132411 (diff) | |
| download | openssl-new-a84e5c9aa8e50af2bcb445ab30a0e9c19e72f60b.tar.gz | |
Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.
If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).
In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.
If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.
Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
Diffstat (limited to 'test/ssl_test_ctx_test.c')
| -rw-r--r-- | test/ssl_test_ctx_test.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/test/ssl_test_ctx_test.c b/test/ssl_test_ctx_test.c index 194919d1f3..33a18428e8 100644 --- a/test/ssl_test_ctx_test.c +++ b/test/ssl_test_ctx_test.c @@ -92,7 +92,9 @@ static int testctx_eq(SSL_TEST_CTX *ctx, SSL_TEST_CTX *ctx2) || !TEST_str_eq(ctx->expected_alpn_protocol, ctx2->expected_alpn_protocol) || !TEST_int_eq(ctx->resumption_expected, - ctx2->resumption_expected)) + ctx2->resumption_expected) + || !TEST_int_eq(ctx->session_id_expected, + ctx2->session_id_expected)) return 0; return 1; } @@ -166,6 +168,7 @@ static int test_good_configuration(void) fixture->expected_ctx->expected_servername = SSL_TEST_SERVERNAME_SERVER2; fixture->expected_ctx->session_ticket_expected = SSL_TEST_SESSION_TICKET_YES; fixture->expected_ctx->compression_expected = SSL_TEST_COMPRESSION_NO; + fixture->expected_ctx->session_id_expected = SSL_TEST_SESSION_ID_IGNORE; fixture->expected_ctx->resumption_expected = 1; fixture->expected_ctx->extra.client.verify_callback = @@ -207,6 +210,7 @@ static const char *bad_configurations[] = { "ssltest_unknown_servername_callback", "ssltest_unknown_session_ticket_expected", "ssltest_unknown_compression_expected", + "ssltest_unknown_session_id_expected", "ssltest_unknown_method", "ssltest_unknown_handshake_mode", "ssltest_unknown_resumption_expected", |