Do not resume a session if the negotiated protocol version does not match

the session's version (server). See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde. Reviewed-by: N Dr. Stephen Henson <steve@openssl.org>

Do not resume a session if the negotiated protocol version does not match
the session's version (server). See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde. Reviewed-by: N Dr. Stephen Henson <steve@openssl.org>
9e189b9d · David Benjamin · Emilia Kasper · 8d02bebd · 9e189b9d · 9e189b9d
隐藏空白更改
内联并排

Showing with 16 addition and 1 deletion

CHANGES CHANGES +6 -0

ssl/s3_srvr.c ssl/s3_srvr.c +10 -1

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -627,6 +627,12 @@
 Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+   *) Do not resume sessions on the server if the negotiated protocol
+      version does not match the session's version. Resuming with a different
+      version, while not strictly forbidden by the RFC, is of questionable
+      sanity and breaks all known clients.
+      [David Benjamin, Emilia Käsper]
   *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
      early CCS messages during renegotiation. (Note that because
      renegotiation is encrypted, this early CCS was not exploitable.)

--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1054,7 +1054,16 @@ int ssl3_get_client_hello(SSL *s)
 	else
 		{
 		i=ssl_get_prev_session(s, p, j, d + n);
-		if (i == 1)
+		/*
+		 * Only resume if the session's version matches the negotiated
+		 * version.
+		 * RFC 5246 does not provide much useful advice on resumption
+		 * with a different protocol version. It doesn't forbid it but
+		 * the sanity of such behaviour would be questionable.
+		 * In practice, clients do not accept a version mismatch and
+		 * will abort the handshake with an error.
+		 */
+		if (i == 1 && s->version == s->session->ssl_version)
 			{ /* previous session */
 			s->hit=1;
 			}