[PATCH] session ticket support

Daiki Ueno ueno at unixuser.org
Tue Jul 28 03:27:39 CEST 2009 

>>>>> In <4A6C5385.9010504 at gnutls.org> 
>>>>>	Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> > The combination of OpenSSL s_client and gnutls-serv seems OK, but
> > gnutls-cli and s_server cannot continue handshake.  I'm now
> > investigating what is going on.  Anyway, I attach the log files of:

> Probably you have tried already but I would suggest -tlsextdebug -state
> instead of -msg... The actual messages might be easier to see using
> wireshark.

Thanks, it really helped.  It turned out that there was a bug in session
ID handling of my previous patch.

> If I am correctly checking the log, It seems from the capture that
> openssl doesn't send the NewSessionTicket on subsequent handshakes.
> Could it be this the reason that gnutls-cli fails?

Yes, it was the immediate cause.  If a client reuses previous session
ID, s_server returns empty session ID and behaves as if it is resumed
(this might be a bug of OpenSSL).

When I changed _gnutls_recv_new_session_ticket to generate new session
ID, it started to work.  I attach the new patch, which includes:

* Adaption for gnutls-cli/gnutls-serv.

  Session ticket support is enabled by default, while it can be disabled
  by --noticket option.  You can test the interoperability with:

  $ gnutls-serv -p 10000 --nodb --x509cafile x509-ca.pem \
    --x509keyfile x509-server-key.pem --x509certfile x509-server.pem
  $ openssl s_client -connect localhost:10000 -reconnect

  and

  $ openssl s_server -accept 10000 -CAfile x509-ca.pem \
    -key x509-server-key.pem -cert x509-server.pem
  $ gnutls-cli -p 10000 --resume localhost

* New interface functions as you suggested.

  int gnutls_session_ticket_allocate_key (gnutls_session_ticket_key_t *);
  int gnutls_session_ticket_randomize (gnutls_session_ticket_key_t);
  int gnutls_session_ticket_import (gnutls_session_t, void *, size_t);
  int gnutls_session_ticket_export (gnutls_session_t, void *, size_t *);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: session3.diff.gz
Type: application/octet-stream
Size: 11838 bytes
Desc: not available
URL: </pipermail/attachments/20090728/2ee0ffcf/attachment.obj>
-------------- next part --------------

Regards,
-- 
Daiki Ueno

More information about the Gnutls-devel mailing list