On Fri, Dec 04, 2015 at 10:27:48AM +0000, Matt Caswell wrote: > EAP-FAST is very strange. Normally you know whether you are resuming a > session or not based on the session id returned from the server. However > that's not the case with EAP-FAST - you have to wait to see what message > the server sends you next to determine what's happening (which is really > horrible).
Indeed. EAP-FAST is a good example of what can happen if a company designs a new EAP method and pushes that to the market without going through proper IETF review.. This part here is not the only difficult item in supporting EAP-FAST. :( > The new state machine code waits until a message is received from the > peer and then checks it against its allowed list of transitions based on > its current state. If its not allowed then you get an unexpected message > alert. It looks like the check for the EAP-FAST session resumption case > is missing from the new code. > > Please can you try the attached patch and see if that resolves the > issue? Let me know how you get on. Thanks! That fixes the issue. With this applied on top of the current master branch snapshot, I was able to pass all my EAP regression tests. -- Jouni Malinen PGP id EFC895FA _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
