<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/dueno">Daiki Ueno</a>

<a href="https://gitlab.com/gnutls/gnutls/-/issues/1239#note_576317324">commented</a>:

</p>

<div style="">

<p dir="auto">Thank you for the report. When running under <code>GNUTLS_DEBUG_LEVEL=10</code>, the server program outputs the following lines:</p>

<pre class="code highlight js-syntax-highlight language-console" lang="console" v-pre="true"><code><span id="LC1" class="line" lang="console"><span class="go">gnutls[3]: ASSERT: session_ticket.c[_gnutls_decrypt_session_ticket]:201</span></span>

<span id="LC2" class="line" lang="console"><span class="go">gnutls[3]: ASSERT: tls13/session_ticket.c[_gnutls13_unpack_session_ticket]:479</span></span></code></pre>

<p dir="auto">that means the session ticket sent from the client cannot be decrypted because of missing key. It seems that the server always regenerate STEK upon new session is created, while it needs to persist across sessions, so <a href="https://gitlab.com/gnutls/gnutls/uploads/f6a53bcf5621a05fc3a4f017c91788dc/stek.patch" data-link="true" class="gfm">stek.patch</a> should fix the issue.</p>

<p dir="auto">On the other hand, the crash is certainly an issue: given GnuTLS API currently doesn't support provisioning encryption parameters along with external PSK, we should reject early data upon resumption failure.</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1239#note_576317324">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/6933451cb1ca4a96accb5536dfe2c1f7/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1239#note_576317324"}}</script>

</p>

</div>

</body>

</html>