RFC 5077 section 3.3 says:
If the server determines that it does not want to include a
ticket after it has included the SessionTicket extension in the
ServerHello, then it sends a zero-length ticket in the
NewSessionTicket handshake message.
However an OpenSSL 1.0.1 client will reject this message, it appears
due to the fact that OPENSSL_malloc returns failure on attempting to
allocate 0 bytes. Here's s_client in action:
<<< TLS 1.2 [length 000a]
04 00 00 06 00 00 00 00 00 00
139933926663848:error:1411B041:SSL routines:SSL3_GET_NEW_SESSION_TICKET:malloc
failure:s3_clnt.c:2077:
A quick patch of adding
if(ticklen == 0)
{
s->session->tlsext_tick = NULL;
return 1;
}
before attempting the malloc at line 2075 seems to do the right thing
both for empty and regular session ticket messages.
Regards,
Jack Lloyd
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
