Commit 9e189b9d authored Nov 20, 2014 by David Benjamin Committed by Emilia Kasper Nov 20, 2014

Do not resume a session if the negotiated protocol version does not match


the session's version (server).

See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

parent 8d02bebd

CHANGES

+6 −0

Original line number	Diff line number	Diff line
		@@ -627,6 +627,12 @@

		Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]

		*) Do not resume sessions on the server if the negotiated protocol
		version does not match the session's version. Resuming with a different
		version, while not strictly forbidden by the RFC, is of questionable
		sanity and breaks all known clients.
		[David Benjamin, Emilia Käsper]

		*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
		early CCS messages during renegotiation. (Note that because
		renegotiation is encrypted, this early CCS was not exploitable.)

ssl/s3_srvr.c

+10 −1

Original line number	Diff line number	Diff line
		@@ -1054,7 +1054,16 @@ int ssl3_get_client_hello(SSL *s)
		else
		{
		i=ssl_get_prev_session(s, p, j, d + n);
		if (i == 1)
		/*
		* Only resume if the session's version matches the negotiated
		* version.
		* RFC 5246 does not provide much useful advice on resumption
		* with a different protocol version. It doesn't forbid it but
		* the sanity of such behaviour would be questionable.
		* In practice, clients do not accept a version mismatch and
		* will abort the handshake with an error.
		*/
		if (i == 1 && s->version == s->session->ssl_version)
		{ /* previous session */
		s->hit=1;
		}