Session ticket may not contain enough of the client cert chain to reconstruct it during resumption

NEW
Unassigned

Status

NSS
Libraries
7 years ago
4 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

The server side of libssl includes the client EE certificate (if there is one), but it doesn't include any intermediaries. That means the server may not be able to reconstruct the client's cert chain in a resumed session. (Whether or not this is useful or necessary depends on the application.)
See also Bug 657237 comment 0.
If the whole client cert chain were to be included in the session ticket, it would be more likely that the session ticket would become too large to fit inside the client hello extension. If/when we fix this bug (and, really, even if we don't), we should make sure that we never try to send a NewSessionTicket message with a session ticket larger larger than (2^16 - 1) bytes.
Summary: Session ticket may not contain enough of the client cert chain to reconstruct it during resumption → Session ticket and server session cache entries may not contain enough of the client cert chain to reconstruct it during resumption
Summary: Session ticket and server session cache entries may not contain enough of the client cert chain to reconstruct it during resumption → Session ticket may not contain enough of the client cert chain to reconstruct it during resumption
Blocks: 981506
You need to log in before you can comment on or make changes to this bug.