The branch master has been updated via 6e99ae58c8e1b4a41ae376f91affc7992b0738f7 (commit) from cb1c3d1a2714eb69012b079053f7fbcca1acc544 (commit)
- Log ----------------------------------------------------------------- commit 6e99ae58c8e1b4a41ae376f91affc7992b0738f7 Author: Matt Caswell <m...@openssl.org> Date: Tue Jan 30 15:41:56 2018 +0000 Ignore an s_client psk in TLSv1.3 if not TLSv1.3 suitable The s_client psk_use_session_cb callback has a comment stating that we should ignore a key that isn't suitable for TLSv1.3. However we were actually causing the connection to fail. Changing the return value fixes the issue. Also related to this is that the early_data extension was not marked as TLSv1.3 only which it should be. Fixes #5202 Reviewed-by: Ben Kaduk <ka...@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5205) ----------------------------------------------------------------------- Summary of changes: apps/s_client.c | 2 +- ssl/statem/extensions.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index ca2bd0d..eca0a4a 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -208,7 +208,7 @@ static int psk_use_session_cb(SSL *s, const EVP_MD *md, *id = NULL; *idlen = 0; *sess = NULL; - return 0; + return 1; } usesess = SSL_SESSION_new(); if (usesess == NULL diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index daf43c6..7d456f3 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -358,7 +358,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { { TLSEXT_TYPE_early_data, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS - | SSL_EXT_TLS1_3_NEW_SESSION_TICKET, + | SSL_EXT_TLS1_3_NEW_SESSION_TICKET | SSL_EXT_TLS1_3_ONLY, NULL, tls_parse_ctos_early_data, tls_parse_stoc_early_data, tls_construct_stoc_early_data, tls_construct_ctos_early_data, final_early_data _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits