On Thu, Jul 23, 2015 at 09:22:04PM +0300, Jouni Malinen wrote:
> I used to use SSL_CTX_new(TLSv1_method()) to initialize SSL_CTX for
> various TLS-based EAP methods. This worked fine with EAP-TLS,
> EAP-PEAP, EAP-TTLS, and EAP-FAST. However, it did not allow OpenSSL to
> negotiate TLS v1.1 or v1.2 to be used. Consequently, there seemed to
> be need to change from TLSv1_method() to SSLv23_method() with
> SSL_OP_NO_SSLv2 and SSL_OP_NO_v3. Initially, this seemed to work fine,
> but I found an issue with EAP-FAST peer (i.e., TLS client).
Postfix happily sends session tickets and resuming sessions even
though it is using SSLv23_client_method(), and there is no server-side
session cache (I made sure the client connets to a different server
process between the initial handshake and the resumption, and that
there is no "external" cache configured.) Output summary:
$ posttls-finger -lmay -Ldebug -r 10 -c example.org
posttls-finger: setting up TLS connection to mx1.example.org[192.0.2.1]:25
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect:SSLv3 read server hello A
posttls-finger: SSL_connect:SSLv3 read server key exchange A
posttls-finger: SSL_connect:SSLv3 read server done A
posttls-finger: SSL_connect:SSLv3 write client key exchange A
posttls-finger: SSL_connect:SSLv3 write change cipher spec A
posttls-finger: SSL_connect:SSLv3 write finished A
posttls-finger: SSL_connect:SSLv3 flush data
posttls-finger: SSL_connect:SSLv3 read server session ticket A
posttls-finger: SSL_connect:SSLv3 read finished A
posttls-finger: save session
[192.0.2.1]:25&8132DFEF2967E661AEDA394357CABF4803EA6915B5AA3750F5C937BEAB39FE1E
to memory cache
posttls-finger: Anonymous TLS connection established to
mx1.example.org[192.0.2.1]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256
bits)
posttls-finger: Reconnecting after 10 seconds
posttls-finger: looking for session
[192.0.2.1]:25&8132DFEF2967E661AEDA394357CABF4803EA6915B5AA3750F5C937BEAB39FE1E
in memory cache
posttls-finger: reloaded session
[192.0.2.1]:25&8132DFEF2967E661AEDA394357CABF4803EA6915B5AA3750F5C937BEAB39FE1E
from memory cache
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv3 write client hello A
posttls-finger: SSL_connect:SSLv3 read server hello A
posttls-finger: SSL_connect:SSLv3 read finished A
posttls-finger: SSL_connect:SSLv3 write change cipher spec A
posttls-finger: SSL_connect:SSLv3 write finished A
posttls-finger: SSL_connect:SSLv3 flush data
posttls-finger: mx1.example.org[192.0.2.1]:25: Reusing old session
posttls-finger: Anonymous TLS connection established to
mx1.example.org[192.0.2.1]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256
bits)
The order of events is:
/* Once only */
ctx = SSL_CTX_new(SSLv23_client_method());
/* Per connection */
ssl = SSL_new(ctx);
/* Protocol support varies per server, so not set via global context */
SSL_set_options(...);
/* restore appropriate session from the client cache */
session = ... ;
if (session)
SSL_set_session(ssl, session);
SSL_connect(ssl);
What are you doing to associate a previous session with a new SSL
connection?
--
Viktor.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
