Topic: [SOLVED] Old certificates not discarded when server resume fails

Hi,

I am using wolfSSL_get1_session and wolfSSL_set_session to enable TLS session resumption.

Each time when the server creates a new session instead of resuming the session (I trigger this by restarting my test openssl s_server, so that its session cache and ticket encryption key are dropped), the number of session's certificate chains increases. (The number which is returned by wolfSSL_get_chain_count(chain) when running on the chain obtained through wolfSSL_get_peer_chain(ssl) )
This happens for both session ID and ticket-based session resumption.

Is this expected behavior? And if so, are there any guidelines how to work with the certificate chains in such case, e.g. for the purpose of hostname validation?

Thanks,
Martin

Share

Re: [SOLVED] Old certificates not discarded when server resume fails

MartinH,

Can you tell us a little about what it is you are working on with session resumption?

Thank you for reporting this behavior to us. Is it possible for you to send us a test application (client to resume the session) and the steps with the openssl command line utility that you use to reproduce this for testing and implementing a fix? (If possible can the openssl commands be scripted in a post shell script?)

Thanks!

Kaleb

Re: [SOLVED] Old certificates not discarded when server resume fails

Hi Kaleb,

I might be able to send you a simple test application and script tomorrow or next week.

Currently, I am not using anything special for the testing. Just

openssl s_server -status_verbose -key testKey.pem -cert testCert.pem -accept <port_number>

and restarting manually by Ctrl+C and launching again.
OpenSSL version is 1.1.0h-fips (Fedora 27).

I don't think that the issue depends on ciphersuites used (maybe except for some PSK), I tested with TLS_DHE_RSA_WITH_AES_128_CBC_SHA and with TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.

Best regards,
Martin

Share

Re: [SOLVED] Old certificates not discarded when server resume fails

Hi Kaleb,

Find attached a simple demo client based on https://github.com/wolfSSL/wolfssl-exam … s-resume.c and the corresponding scripts for preparing wolfSSL and running the tests.
A simple README with instructions is also present in the archive.

The issue is reproduced with both session ID and ticket-based resumption.
It is also reproduced regardless of if SSL_VERIFY_PEER or SSL_VERIFY_NONE is set (these can be switched by sending 'p' or 'n' to the client's control socket).

Best regards,
Martin

Post's attachments

wolfSSL_demo.tar.gz 6.38 kb, 5 downloads since 2018-07-24 

You don't have the permssions to download the attachments of this post.

Share

Re: [SOLVED] Old certificates not discarded when server resume fails

Martin,

So sorry for the delay. Your colleague has been in touch with Rod Weaver and we are tracking these items now in our support domain which will guarantee faster response times!

I'll be reviewing the examples you sent over today. I have also added you to the zendesk ticket where these issues are being tracked.

Reagards,

Kaleb

Re: [SOLVED] Old certificates not discarded when server resume fails

Hello,

Just to update the status for anyone who would stumble upon this in the future.

This issue has been addressed by https://github.com/wolfSSL/wolfssl/pull/1785 and it can be marked as solved.

Best regards,
Martin

Share