]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9e58ea4) | patch
Stop a TLSv1.3 server emitting an unsolicited PSK extension
authorMatt Caswell <matt@openssl.org>
Thu, 8 May 2025 13:54:35 +0000 (14:54 +0100)
committerTomas Mraz <tomas@openssl.org>
Tue, 13 May 2025 12:13:00 +0000 (14:13 +0200)
commit3e7f7ade4c75d3676a4f9421b008c32ca1ba0d37
tree8ca727088e899f2bbe78fe89e59125651524516atree
parent9e58ea4b10a1093518b4fbf6e3f62ae13e458adecommit | diff
Stop a TLSv1.3 server emitting an unsolicited PSK extension

If we attempt to accept a connection on an SSL object, and the
application has set an SSL_SESSION on that SSL object then we
can mistakenly believe that we are resuming and
emit an unsolicited PSK extension back to the client.

This can especially happen when using SSL_clear() which leaves
any SSL_SESSION associated with the SSL object.

See
https://github.com/openssl/openssl/discussions/27563#discussioncomment-13049352
and
https://github.com/openssl/openssl/discussions/24567

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27584)

(cherry picked from commit aa8bca2e81030560d690cb68bbcbe8b7d00d1d29)
ssl/ssl_sess.c diff | blob | blame | history
test/sslapitest.c diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git