Re: [PATCH] session ticket support

[Daiki Ueno]

>>>>> In <address@hidden> 
>>>>>   Nikos Mavrogiannopoulos <address@hidden> wrote:
> > The combination of OpenSSL s_client and gnutls-serv seems OK, but
> > gnutls-cli and s_server cannot continue handshake.  I'm now
> > investigating what is going on.  Anyway, I attach the log files of:

> Probably you have tried already but I would suggest -tlsextdebug -state
> instead of -msg... The actual messages might be easier to see using
> wireshark.

Thanks, it really helped.  It turned out that there was a bug in session
ID handling of my previous patch.

> If I am correctly checking the log, It seems from the capture that
> openssl doesn't send the NewSessionTicket on subsequent handshakes.
> Could it be this the reason that gnutls-cli fails?

Yes, it was the immediate cause.  If a client reuses previous session
ID, s_server returns empty session ID and behaves as if it is resumed
(this might be a bug of OpenSSL).

When I changed _gnutls_recv_new_session_ticket to generate new session
ID, it started to work.  I attach the new patch, which includes:

* Adaption for gnutls-cli/gnutls-serv.

  Session ticket support is enabled by default, while it can be disabled
  by --noticket option.  You can test the interoperability with:

  $ gnutls-serv -p 10000 --nodb --x509cafile x509-ca.pem \
    --x509keyfile x509-server-key.pem --x509certfile x509-server.pem
  $ openssl s_client -connect localhost:10000 -reconnect

  and

  $ openssl s_server -accept 10000 -CAfile x509-ca.pem \
    -key x509-server-key.pem -cert x509-server.pem
  $ gnutls-cli -p 10000 --resume localhost

* New interface functions as you suggested.

  int gnutls_session_ticket_allocate_key (gnutls_session_ticket_key_t *);
  int gnutls_session_ticket_randomize (gnutls_session_ticket_key_t);
  int gnutls_session_ticket_import (gnutls_session_t, void *, size_t);
  int gnutls_session_ticket_export (gnutls_session_t, void *, size_t *);

session3.diff.gz
Description: Binary data

Regards,
-- 
Daiki Ueno