Re: [openssl-dev] [openssl.org #4392] [PATCH] Resolve DTLS cookie and version before session resumption.

[Kurt Roeckx via RT]

On Mon, Mar 07, 2016 at 10:03:20PM +, David Benjamin via RT wrote:
> Session resumption involves a version check, so version negotiation must
> happen first. Currently, the DTLS implementation cannot do session
> resumption in DTLS 1.0 because the ssl_version check always checks against
> 1.2.
> 
> Switching the order also removes the need to fixup ssl_version in DTLS
> version negotiation.

This has been fixed in the master branch.  The 1.0.x branches
look like they're affected too, so I'll leave this open.


Kurt


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4392
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4392] [PATCH] Resolve DTLS cookie and version before session resumption.

[David Benjamin via RT]

Session resumption involves a version check, so version negotiation must
happen first. Currently, the DTLS implementation cannot do session
resumption in DTLS 1.0 because the ssl_version check always checks against
1.2.

Switching the order also removes the need to fixup ssl_version in DTLS
version negotiation.

The DTLS1-ECDHE-RSA-AES256-SHA-server test (and any other
DTLS1-{cipher-name}-server test) in BoringSSL's test suite can be used to
repro this:
https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html

David

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4392
Please log in as guest with password guest if prompted



0006-Resolve-DTLS-cookie-and-version-before-session-resum.patch
Description: Binary data
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev