Thanks! That corrects the problem. Yes, problem was on the client side.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dr. Stephen Henson Sent: Saturday, June 07, 2014 9:34 AM To: [email protected] Subject: Re: OpenSSL 1.0.1h - issue with EAP-FAST session resumption On Sat, Jun 07, 2014, Doug Smith wrote: > All, > > Running into an issue with OpenSSL 1.0.1h and EAP-FAST/wpa_supplicant TLS > session resumption. > > CVE-2014-0224 code added code to reject the ChangeCipherSpec message if it is > received in incorrect order. > Normally the TLS client sends the Finished message before the > ChangeCipherSpec message is received from the server. > The 1.0.1h code now appears to set a flag SSL3_FLAGS_CCX_OK when Finished is > sent by the client. > And the code checks this flag when the ChangeCipherSpec message is received; > rejecting the CCS packet if the flag isn't set. > > Unfortunately for TLS session resumption, the server sends the > ChangeCipherSpec *before* the client sends the Finished message. > (See figure 2 of RFC4507 -- http://tools.ietf.org/html/rfc4507) > This is resulting in the ChangeCipherSpec packet being rejected for EAP-FAST > session resumption because the SSL3_FLAGS_CCS_OK isn't set. > > Any guidance would be appreciated. > > Thanks, > Doug > > Note: EAP-FAST uses the SSL_set_session_ticket_ext...() functions to set the > session ticket that is used for TLS session resumption. > I think from your message you're getting the error on the client? If so try this patch: diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 34efff8..cd43873 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1037,6 +1037,7 @@ int ssl3_get_server_hello(SSL *s) { s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p+j); + s->s3->flags |= SSL3_FLAGS_CCS_OK; } } If you get the error message on the server or get it after applying that patch let me know. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
