Hello, Please disregard first version of this patch. Making that change at s3_pkt.c was too broad, and pretty much incorrect. Attached is a new version of patch. I would appreciate any kind of feedback on this.
Open questions that I am not sure about so far: is it safe to set `s->first_packet = 1` on renegotiation? Why is it DTLS-only right now? Should this patch do anything else to reset the current session? Thank you very much, Fedor. On Sat, Jan 30, 2016 at 5:04 PM, Fedor Indutny <fe...@indutny.com> wrote: > When connecting to pool of diverse servers (both TLS1.0 and TLS1.2), a > following scenario may happen: > > 1. Connect to TLS1.2 server, receive new session > 2. Store this session > 3. Attempt to reuse it later when connecting to server > 4. Connect to different server from the pool, which speaks only TLS1.0 > 5. Get `SSL_R_WRONG_VERSION_NUMBER` error > > Expected behavior would be scrapping off the session, and allowing > server to downgrade to supported protocol version the way it would do it > if no client session would be supplied. > > This issue was discovered while working on following node.js bug: > > https://github.com/nodejs/node/issues/3692 > --- > ssl/s3_pkt.c | 39 +++++++++++++++++++++++++++++++++++++++ > ssl/ssltest.c | 22 +++++++++++++++++++++- > test/testssl | 6 ++++++ > 3 files changed, 66 insertions(+), 1 deletion(-) >
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJWrURJAAoJENcGPM4Zt+iQ0WgP/3QE4w13G+30DYgyKWPGZf7U SSVF0Yy5ezn+syzKNEkypO2iqL4MnjuBqlyXDlWWQv534Pcmw9uJWe6sCCVf6Tls BA+v12Fd85QoX4RqhLa6XM8BusY4srAxZbX+D6Z5C7VVLO+2ZjTGYCJhXOoBlOvf 3hYKaVlnfpP1+5Yae8VKEKm3nb6USsvTXn/UDuxxCocaGA3/O3t+vW3U/+jNbtdK RY60T+jVSkt4fw9eL9qR072eHkUaBWIad9KgGj0gcoJA6RjDn/78Ik6P/mPCrXmG 8/wLdR+qQbjAjWB48JY9f0Vv3XhtG5KLdX/g6w6T1n3F+dVO+rRWxuG7E6J6eMuL th+Nj3hhhtBEFwW7WnU2+MhxYyy82d1OwFs6A4tRuav86wHEi1zutfWeEcwqg5jM c6QuERxkPeWbRnIeBcdJVguQ4kO2cWl64a7YzT46RCMSF1GAUMVpB2e38LEd11oa Uk0KVw2dApXEmVbe8jpRSlBejKafp6lTujE5fiD+6/4foG2hwRUwBjEDpMKtHjs9 AlWzXr5vmwAQ4QKb68h+eC25C6ii4wgSflL0q8Z2hDTdAPi/5ftGOZFNSyBPh6Ub 6wVqZFrwrk5GF2HKwT1KAUEWhUeWbRXFzeknsb5P+vMNZ6qf5j+y7uYaFC+1S4SK JmxLddBgP2N3VkKfXF7C =QuAH -----END PGP SIGNATURE-----
0001-Allow-downgrading-when-reusing-sessions-on-client.patch
Description: Binary data
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev