Fixed in 0.9.8g
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Starting with OpenSSL 0.9.8f, ssl3_get_client_hello() no longer tests whether
the client proposed a
previous session_id before trying to process it. In previous releases, a new
session was always
created if no previous session was proposed (i.e. if j==0 at ssl\s3_srvr.c:746)
[EMAIL PROTECTED] - Wed Oct 17 18:11:27 2007]:
Starting with OpenSSL 0.9.8f, ssl3_get_client_hello() no longer tests
whether the client proposed a
previous session_id before trying to process it. In previous releases,
a new session was always
created if no previous session was proposed
Hi Lutz,
Apologies, I should have included a stack trace with the bug report.
FYI - attached is a Windows/Apache 2.2.6/OpenSSL 0.9.8f VC8 stack trace.
The problem is not Windows-specific. I observe it on several platforms.
This patch seems to correct the problem by checking for a zero-length
The code was changed when TLS ticket support was added. In that case a
zero length session ID can result in a resumed session based on the
ticket. It didn't catch the case where ticket resumtion failed and the
session legth was zero.
This patch should fix it:
Yes - the patch at http://cvs.openssl.org/chngview?cn=16691
corrects the problem.
Tested with Apache 2.2.6 on Windows and Debian 4.0.
-tom-
Stephen Henson via RT wrote:
The code was changed when TLS ticket support was added. In that case a
zero length session ID can result in a resumed
