diff options
| author | Todd Short <tshort@akamai.com> | 2016-09-01 14:40:54 +0200 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2017-10-04 02:21:08 +0200 |
| commit | a84e5c9aa8e50af2bcb445ab30a0e9c19e72f60b (patch) | |
| tree | 590baea962817312a9b3b1007501abc67c34f256 /test/ssl_test_ctx.h | |
| parent | Use more pre-allocation (diff) | |
| download | openssl-a84e5c9aa8e50af2bcb445ab30a0e9c19e72f60b.tar.xz openssl-a84e5c9aa8e50af2bcb445ab30a0e9c19e72f60b.zip | |
Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.
If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).
In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.
If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.
Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
Diffstat (limited to 'test/ssl_test_ctx.h')
| -rw-r--r-- | test/ssl_test_ctx.h | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h index 5eff75cfa1..fea6527656 100644 --- a/test/ssl_test_ctx.h +++ b/test/ssl_test_ctx.h @@ -57,6 +57,12 @@ typedef enum { } ssl_compression_t; typedef enum { + SSL_TEST_SESSION_ID_IGNORE = 0, /* Default */ + SSL_TEST_SESSION_ID_YES, + SSL_TEST_SESSION_ID_NO +} ssl_session_id_t; + +typedef enum { SSL_TEST_METHOD_TLS = 0, /* Default */ SSL_TEST_METHOD_DTLS } ssl_test_method_t; @@ -200,6 +206,8 @@ typedef struct { STACK_OF(X509_NAME) *expected_client_ca_names; /* Whether to use SCTP for the transport */ int use_sctp; + /* Whether to expect a session id from the server */ + ssl_session_id_t session_id_expected; } SSL_TEST_CTX; const char *ssl_test_result_name(ssl_test_result_t result); @@ -210,6 +218,7 @@ const char *ssl_servername_name(ssl_servername_t server); const char *ssl_servername_callback_name(ssl_servername_callback_t servername_callback); const char *ssl_session_ticket_name(ssl_session_ticket_t server); +const char *ssl_session_id_name(ssl_session_id_t server); const char *ssl_test_method_name(ssl_test_method_t method); const char *ssl_handshake_mode_name(ssl_handshake_mode_t mode); const char *ssl_ct_validation_name(ssl_ct_validation_t mode); |