From 03d14f58873470407de6120218b7e69fefd8b58f Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 20 Nov 2014 16:22:40 +0100 Subject: [PATCH] Do not resume a session if the negotiated protocol version does not match the session's version (server). See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde. Reviewed-by: Dr. Stephen Henson (cherry picked from commit 9e189b9dc10786c755919e6792e923c584c918a1) --- CHANGES | 6 ++++++ ssl/s3_srvr.c | 11 ++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 66c08e5b7..edf0ee3ac 100644 --- a/CHANGES +++ b/CHANGES @@ -365,6 +365,12 @@ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] + *) Do not resume sessions on the server if the negotiated protocol + version does not match the session's version. Resuming with a different + version, while not strictly forbidden by the RFC, is of questionable + sanity and breaks all known clients. + [David Benjamin, Emilia Käsper] + *) Tighten handling of the ChangeCipherSpec (CCS) message: reject early CCS messages during renegotiation. (Note that because renegotiation is encrypted, this early CCS was not exploitable.) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 6f82d3ceb..3bf6cfec5 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1047,7 +1047,16 @@ int ssl3_get_client_hello(SSL *s) else { i=ssl_get_prev_session(s, p, j, d + n); - if (i == 1) + /* + * Only resume if the session's version matches the negotiated + * version. + * RFC 5246 does not provide much useful advice on resumption + * with a different protocol version. It doesn't forbid it but + * the sanity of such behaviour would be questionable. + * In practice, clients do not accept a version mismatch and + * will abort the handshake with an error. + */ + if (i == 1 && s->version == s->session->ssl_version) { /* previous session */ s->hit=1; }