On 04/12/15 13:08, Jouni Malinen wrote: > On Fri, Dec 04, 2015 at 10:27:48AM +0000, Matt Caswell wrote: >> EAP-FAST is very strange. Normally you know whether you are resuming a >> session or not based on the session id returned from the server. However >> that's not the case with EAP-FAST - you have to wait to see what message >> the server sends you next to determine what's happening (which is really >> horrible). > > Indeed. EAP-FAST is a good example of what can happen if a company > designs a new EAP method and pushes that to the market without going > through proper IETF review.. This part here is not the only difficult > item in supporting EAP-FAST. :( > >> The new state machine code waits until a message is received from the >> peer and then checks it against its allowed list of transitions based on >> its current state. If its not allowed then you get an unexpected message >> alert. It looks like the check for the EAP-FAST session resumption case >> is missing from the new code. >> >> Please can you try the attached patch and see if that resolves the >> issue? Let me know how you get on. > > Thanks! That fixes the issue. With this applied on top of the current > master branch snapshot, I was able to pass all my EAP regression tests. >
This has now been committed to master. Matt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev