Closed Bug 1553443 Opened 5 years ago Closed 5 years ago

post-handshake authentication with selfserv and openssl fails if SSL_ENABLE_SESSION_TICKETS is set

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.44
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hkario, Unassigned)

Details

Attachments

(1 file)

Bug 1553443, send session ticket only after handshake is marked as finished
47 bytes, text/x-phabricator-request
Details | Review

When selfserv is configured with support for session resumption (-u option), the post-handshake authentication is rejected by NSS with a decrypt_error (suggesting that NSS considers the signature to be incorrect).

When server doesn't send NewSessionTicket messages, the authentication succeeds, which would suggest that the fix from bug 1532312 was incomplete.

Tests ran with 3.44.0

I didn't check interaction with KeyUpdate messages, but I'm afraid they're affected too

Summary: post-handshake authentication with selfserv and openssl fails → post-handshake authentication with selfserv and openssl fails (NewSessionTicket case)
Summary: post-handshake authentication with selfserv and openssl fails (NewSessionTicket case) → post-handshake authentication with selfserv and openssl fails if SSL_ENABLE_SESSION_TICKETS is set

(In reply to Hubert Kario from comment #1)

I didn't check interaction with KeyUpdate messages, but I'm afraid they're affected too

That should be okay; the problem is that NST is sent before marking the handshake as completed.

Pushed as: https://hg.mozilla.org/projects/nss/rev/29a48b604602a523defd6f9322a5adeca7e284a5

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: