[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] session ticket support
From: |
Daiki Ueno |
Subject: |
Re: [PATCH] session ticket support |
Date: |
Tue, 28 Jul 2009 10:27:39 +0900 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.0.96 (gnu/linux) |
>>>>> In <address@hidden>
>>>>> Nikos Mavrogiannopoulos <address@hidden> wrote:
> > The combination of OpenSSL s_client and gnutls-serv seems OK, but
> > gnutls-cli and s_server cannot continue handshake. I'm now
> > investigating what is going on. Anyway, I attach the log files of:
> Probably you have tried already but I would suggest -tlsextdebug -state
> instead of -msg... The actual messages might be easier to see using
> wireshark.
Thanks, it really helped. It turned out that there was a bug in session
ID handling of my previous patch.
> If I am correctly checking the log, It seems from the capture that
> openssl doesn't send the NewSessionTicket on subsequent handshakes.
> Could it be this the reason that gnutls-cli fails?
Yes, it was the immediate cause. If a client reuses previous session
ID, s_server returns empty session ID and behaves as if it is resumed
(this might be a bug of OpenSSL).
When I changed _gnutls_recv_new_session_ticket to generate new session
ID, it started to work. I attach the new patch, which includes:
* Adaption for gnutls-cli/gnutls-serv.
Session ticket support is enabled by default, while it can be disabled
by --noticket option. You can test the interoperability with:
$ gnutls-serv -p 10000 --nodb --x509cafile x509-ca.pem \
--x509keyfile x509-server-key.pem --x509certfile x509-server.pem
$ openssl s_client -connect localhost:10000 -reconnect
and
$ openssl s_server -accept 10000 -CAfile x509-ca.pem \
-key x509-server-key.pem -cert x509-server.pem
$ gnutls-cli -p 10000 --resume localhost
* New interface functions as you suggested.
int gnutls_session_ticket_allocate_key (gnutls_session_ticket_key_t *);
int gnutls_session_ticket_randomize (gnutls_session_ticket_key_t);
int gnutls_session_ticket_import (gnutls_session_t, void *, size_t);
int gnutls_session_ticket_export (gnutls_session_t, void *, size_t *);
session3.diff.gz
Description: Binary data
Regards,
--
Daiki Ueno
- [PATCH] session ticket support, Daiki Ueno, 2009/07/14
- Re: [PATCH] session ticket support, Nikos Mavrogiannopoulos, 2009/07/14
- Re: [PATCH] session ticket support, Nikos Mavrogiannopoulos, 2009/07/16
- Re: [PATCH] session ticket support, Daiki Ueno, 2009/07/17
- Re: [PATCH] session ticket support, Nikos Mavrogiannopoulos, 2009/07/17
- Re: [PATCH] session ticket support, Nikos Mavrogiannopoulos, 2009/07/25
- Re: [PATCH] session ticket support, Daiki Ueno, 2009/07/25
- Re: [PATCH] session ticket support, Nikos Mavrogiannopoulos, 2009/07/26
- Re: [PATCH] session ticket support,
Daiki Ueno <=
- Re: [PATCH] session ticket support, Nikos Mavrogiannopoulos, 2009/07/29
- Re: [PATCH] session ticket support, Nikos Mavrogiannopoulos, 2009/07/30