aboutsummaryrefslogtreecommitdiffstats
path: root/src/hash
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-06-09 07:44:29 +0000
committerlloyd <[email protected]>2012-06-09 07:44:29 +0000
commit972629873d6c32055d75c2340faea1c8b0572467 (patch)
tree07fda8d425e5187adc3162540155682c912934fc /src/hash
parentbc8858f4bc68889a8668a9665e1b7352f1ae5fff (diff)
A fix for bug 191, that we were not preventing resumption of sessions in the
case of a fatal alert, as required by section 7.2.2 of RFC 5246. Resolve this by storing the currently active session in Channel. Whenever we send or receive a fatal alert, tell the session manager to forget about that session. This still doesn't strictly meet the requirement for servers, as a session ticket is not invalidated and could later be reused. A conforming client would forget the whole session including the ticket, but that is assuming the attacker wouldn't prevent delivery of the alert message. However it would be difficult for the server to meet this requirement without per-ticket keys or keeping state about which tickets should not be resumable, both of which are stupid given the whole point of session tickets is that it allows resumption without server side state. OpenSSL also seems to allow resumption of sessions ending in a fatal alert when resumed though a ticket.
Diffstat (limited to 'src/hash')
0 files changed, 0 insertions, 0 deletions