Handshake Error: ccs received early

Some servers cause an SSL handshake error with peek and splice.
The problem is related to the TLS Session Tickets extension handling. Squid
expects always a TLS Session Tickets extension, included in server hello
message, to assume that the ticket accepted and the session is a resumed
session, which is not always true.

This is a Measurement Factory project

diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc
index 86b455c5b4cb24dd6ceaa4fb4ad5e710964559db..f502189a8095f9cb73d3abb808ebe8c93996afc1 100644 (file)
--- a/src/ssl/bio.cc
+++ b/src/ssl/bio.cc
@@ -515,9 +515,7 @@ Ssl::ServerBio::resumingSession()
         return clientFeatures.sessionId == serverFeatures.sessionId;
 
     // is this a session resuming attempt using TLS tickets?
-    if (clientFeatures.hasTlsTicket &&
-            serverFeatures.tlsTicketsExtension &&
-            serverFeatures.hasCcsOrNst)
+    if (clientFeatures.hasTlsTicket && receivedHelloFeatures_.hasCcsOrNst)
         return true;
 
     return false;