TLS session resumption: disable on gnutls < 3.5

diff --git a/NEWS b/NEWS
index d68bfae7ee46ea83b7764161cff5a3e8b431ab89..fbbabeff81343602e9d8c07431e1a9c1e6dec8b1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ Security
 New features
 ------------
 - TLS session resumption (RFC 5077), both server and client (!585, #105)
+  (disabled when compiling with gnutls < 3.5)
 - aggressive caching for NSEC3 zones
 - optional protection from DNS Rebinding attack (module rebinding)
 

diff --git a/daemon/tls_session_ticket-srv.c b/daemon/tls_session_ticket-srv.c
index 11a7e31964f13dae7483fd0dd5fa7e5f4ca677ee..9c7acbb1816bb8d14a6f506b9a1ca36133c4227d 100644 (file)
--- a/daemon/tls_session_ticket-srv.c
+++ b/daemon/tls_session_ticket-srv.c
@@ -240,6 +240,10 @@ tst_ctx_t * tls_session_ticket_ctx_create(uv_loop_t *loop, const char *secret,
                                          size_t secret_len)
 {
        assert(loop && (!secret_len || secret));
+       #if GNUTLS_VERSION_NUMBER < 0x030500
+               /* We would need different SESSION_KEY_SIZE; avoid assert. */
+               return NULL;
+       #endif
        tst_ctx_t *ctx = tst_key_create(secret, secret_len, loop);
        if (ctx) {
                tst_key_check(&ctx->timer, true);