You are not logged in. Please login or register.
Active topics Unanswered topics
Welcome to the wolfSSL Forums!
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
References
Stable Releases - download stable product releases.
Development Branch - latest development branch on GitHub.
wolfSSL Manual - wolfSSL (formerly CyaSSL) product manual and API reference.
Search options
Hi David,
Steps to reproduce:
- Take a server app with a custom ticket encryption callback
- Modify the callback to always return WOLFSSL_TICKET_RET_FATAL - the symbol name is misleading, because the ticket encryption callbacks that you provide (internal and myTicketEncCb() in wolfssl/test.h) return it in benign situations such as a name mismatch.
- Confirm that connections to the server can no longer be established if a client presents a ticket.
Fix:
Treat WOLFSSL_TICKET_RET_FATAL as non-fatal (perhaps rename the symbol, too).
Thanks!
When a client presents a ticket that causes DoClientTicket() to return an error (e.g., -1), the ticket should be disregarded and the handshake should complete. The current implementation instead terminates the handshake. If the client then retries with the same ticket, the connection attempts will loop forever - a pretty fatal real-world outcome.
Please change the logic in TLSX_SessionTicket_Parse() (under /* got actual ticket from client */) accordingly.
Thank you very much in advance!
Posts found: 2
Generated in 0.018 seconds (95% PHP - 5% DB) with 5 queries