Skip to content
  1. Mar 21, 2018
    • Benjamin Kaduk's avatar
      Do not cache sessions with zero sid_ctx_length when SSL_VERIFY_PEER · d316cdcf
      Benjamin Kaduk authored
      
      
      The sid_ctx is something of a "certificate request context" or a
      "session ID context" -- something from the application that gives
      extra indication of what sort of thing this session is/was for/from.
      Without a sid_ctx, we only know that there is a session that we
      issued, but it could have come from a number of things, especially
      with an external (shared) session cache.  Accordingly, when resuming,
      we will hard-error the handshake when presented with a session with
      zero-length sid_ctx and SSL_VERIFY_PEER is set -- we simply have no
      information about the peer to verify, so the verification must fail.
      
      In order to prevent these future handshake failures, proactively
      decline to add the problematic sessions to the session cache.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5175)
      d316cdcf
  2. Mar 20, 2018
  3. Mar 19, 2018