[PATCH] session ticket support
Daiki Ueno
ueno at unixuser.org
Tue Jul 28 03:27:39 CEST 2009
>>>>> In <4A6C5385.9010504 at gnutls.org>
>>>>> Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> > The combination of OpenSSL s_client and gnutls-serv seems OK, but
> > gnutls-cli and s_server cannot continue handshake. I'm now
> > investigating what is going on. Anyway, I attach the log files of:
> Probably you have tried already but I would suggest -tlsextdebug -state
> instead of -msg... The actual messages might be easier to see using
> wireshark.
Thanks, it really helped. It turned out that there was a bug in session
ID handling of my previous patch.
> If I am correctly checking the log, It seems from the capture that
> openssl doesn't send the NewSessionTicket on subsequent handshakes.
> Could it be this the reason that gnutls-cli fails?
Yes, it was the immediate cause. If a client reuses previous session
ID, s_server returns empty session ID and behaves as if it is resumed
(this might be a bug of OpenSSL).
When I changed _gnutls_recv_new_session_ticket to generate new session
ID, it started to work. I attach the new patch, which includes:
* Adaption for gnutls-cli/gnutls-serv.
Session ticket support is enabled by default, while it can be disabled
by --noticket option. You can test the interoperability with:
$ gnutls-serv -p 10000 --nodb --x509cafile x509-ca.pem \
--x509keyfile x509-server-key.pem --x509certfile x509-server.pem
$ openssl s_client -connect localhost:10000 -reconnect
and
$ openssl s_server -accept 10000 -CAfile x509-ca.pem \
-key x509-server-key.pem -cert x509-server.pem
$ gnutls-cli -p 10000 --resume localhost
* New interface functions as you suggested.
int gnutls_session_ticket_allocate_key (gnutls_session_ticket_key_t *);
int gnutls_session_ticket_randomize (gnutls_session_ticket_key_t);
int gnutls_session_ticket_import (gnutls_session_t, void *, size_t);
int gnutls_session_ticket_export (gnutls_session_t, void *, size_t *);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: session3.diff.gz
Type: application/octet-stream
Size: 11838 bytes
Desc: not available
URL: </pipermail/attachments/20090728/2ee0ffcf/attachment.obj>
-------------- next part --------------
Regards,
--
Daiki Ueno
More information about the Gnutls-devel
mailing list