Commit c45d6b2b authored Mar 05, 2016 by David Benjamin Committed by Matt Caswell May 13, 2016

The NewSessionTicket message is not optional.



Per RFC 4507, section 3.3:

   This message [NewSessionTicket] MUST be sent if the
   server included a SessionTicket extension in the ServerHello.  This
   message MUST NOT be sent if the server did not include a
   SessionTicket extension in the ServerHello.

The presence of the NewSessionTicket message should be determined
entirely from the ServerHello without probing.

RT#4389

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

parent afdd82fb

ssl/statem/statem_clnt.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -341,9 +341,11 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
		break;

		case TLS_ST_CW_FINISHED:
		if (mt == SSL3_MT_NEWSESSION_TICKET && s->tlsext_ticket_expected) {
		if (s->tlsext_ticket_expected) {
		if (mt == SSL3_MT_NEWSESSION_TICKET) {
		st->hand_state = TLS_ST_CR_SESSION_TICKET;
		return 1;
		}
		} else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
		st->hand_state = TLS_ST_CR_CHANGE;
		return 1;