On 9/18/2013 11:23 AM, Stephen Henson via RT wrote: > Is this the session ticket or the session ID causing the problem? A server > shouldn't just disconnect if it sees a ticket it doesn't like it should just > issue a new one. Presumably it is the session ticket. I haven't yet captured such a poison session.
I agree a server shouldn't disconnect if it sees a ticket it doesn't like, but buggy servers exist. > What happens if you disable tickets with -no_ticket? > This problem has manifested with a production service against Amazon ELB. The last time it reproduced was three days ago, the time before that was three weeks prior. The last reproduction, I got enough telemetry to point the finger at session resumption and was able to confirm that OpenSSL will incorrectly reuse a session ticket when the server drops the connection. I now have a test program connecting every second. If/when the problem recurs, that program will keep a copy of the poison session on disk and I should be able to answer such questions. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
