On 10/05/16 18:34, Rajeswari K wrote:
> Hello openssl-dev team,
>
> Having query regarding DTLS session resumption when configured SSL_CTX
> with DTLS_ANY_VERSION.
>
> When we select SSL_CTX with DTLS_ANY_VERSION, method will be of
> DTLS_Server_method(), which will have ssl_ctx->version as 0xFEFD to
> support both the versions (i.e. DTLS1.0 and DTLS1.2).
>
> During handshake, we landed on to version DTLS1.0.i.e.
> s->session->version holds 0xFEFF.
>
> In order to perform session resumption, we derived new SSL structure
> from global ssl_ctx using SSL_new() and tried performing ssl handshake.
>
> With the below logic,
> else {
> i = ssl_get_prev_session(s, p, j, d + n);
> /*
> * Only resume if the session's version matches the negotiated
> * version.
> * RFC 5246 does not provide much useful advice on resumption
> * with a different protocol version. It doesn't forbid it but
> * the sanity of such behaviour would be questionable.
> * In practice, clients do not accept a version mismatch and
> * will abort the handshake with an error.
> */
> if (i == 1 && s->version == s->session->ssl_version) { /* previous
> * session */
> s->hit = 1;
> } else if (i == -1)
> goto err;
> else { /* i == 0 */
>
> if (!ssl_get_new_session(s, 1))
> goto err;
> }
>
> Since s->version is with 0xFEFD and s->session->ssl_version is 0xFEFF,
> we always try for new session and wont land on to session resumption
> though client has sent the session_id.
>
> Is this intended behaviour? Please clarify.
No. This appears to be a bug introduced by commit 03d14f588734 in
November 2014.
The real problem though is that the DTLS version negotiation is
happening too late - after session resumption. Interestingly this only
seems to be a problem in 1.0.2. In 1.1.0 this is working correctly (the
version negotiation logic has been substantially rewritten in the new
version).
Please could you try out the attached patch? Let me know how you get on.
Thanks
Matt
From f835f1ecbb3aa9766ee647f4b7e042e325bacfc6 Mon Sep 17 00:00:00 2001
From: Matt Caswell <m...@openssl.org>
Date: Wed, 11 May 2016 10:12:09 +0100
Subject: [PATCH] In Server-side DTLS negotiate the version before session
resumption
This commit moves the server side DTLS version negotiation to before
session resumption is done. This is so that during the resumption we can
properly check that the negotiated version matches the session we are
trying to resume. This fixes a bug where a DTLSv1.2 capable server is
unable to resume sessions with DTLSv1.0 clients.
---
ssl/s3_srvr.c | 50 +++++++++++++++++++++++++-------------------------
1 file changed, 25 insertions(+), 25 deletions(-)
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index ab28702..20997c6 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1010,6 +1010,31 @@ int ssl3_get_client_hello(SSL *s)
goto f_err;
}
+ if (SSL_IS_DTLS(s) && s->method->version == DTLS_ANY_VERSION) {
+ /* Select version to use */
+ if (s->client_version <= DTLS1_2_VERSION &&
+ !(s->options & SSL_OP_NO_DTLSv1_2)) {
+ s->version = DTLS1_2_VERSION;
+ s->method = DTLSv1_2_server_method();
+ } else if (tls1_suiteb(s)) {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+ SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
+ s->version = s->client_version;
+ al = SSL_AD_PROTOCOL_VERSION;
+ goto f_err;
+ } else if (s->client_version <= DTLS1_VERSION &&
+ !(s->options & SSL_OP_NO_DTLSv1)) {
+ s->version = DTLS1_VERSION;
+ s->method = DTLSv1_server_method();
+ } else {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
+ SSL_R_WRONG_VERSION_NUMBER);
+ s->version = s->client_version;
+ al = SSL_AD_PROTOCOL_VERSION;
+ goto f_err;
+ }
+ }
+
s->hit = 0;
/*
* Versions before 0.9.7 always allow clients to resume sessions in
@@ -1104,31 +1129,6 @@ int ssl3_get_client_hello(SSL *s)
}
p += cookie_len;
- if (s->method->version == DTLS_ANY_VERSION) {
- /* Select version to use */
- if (s->client_version <= DTLS1_2_VERSION &&
- !(s->options & SSL_OP_NO_DTLSv1_2)) {
- s->version = DTLS1_2_VERSION;
- s->method = DTLSv1_2_server_method();
- } else if (tls1_suiteb(s)) {
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
- SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
- s->version = s->client_version;
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
- } else if (s->client_version <= DTLS1_VERSION &&
- !(s->options & SSL_OP_NO_DTLSv1)) {
- s->version = DTLS1_VERSION;
- s->method = DTLSv1_server_method();
- } else {
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
- SSL_R_WRONG_VERSION_NUMBER);
- s->version = s->client_version;
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
- }
- s->session->ssl_version = s->version;
- }
}
if (p + 2 > d + n) {
--
2.7.4
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
