TLS: Verify session ID to prevent incorrect session resumption
When a TLS 1.2 session is resumed via an external server-side cache
SSL_CTX_sess_set_get_cb(), the session ID stored in an SSL_SESSION is assigned
by the server at the end of the original full handshake and never modified
afterwards. The client-supplied session ID in ClientHello is copied verbatim
from the session the client cached after that same handshake. If both sides
behaved correctly, the two values are guaranteed to be identical.
This commit adds an explicit comparison inside ssl_get_prev_session() between
the session ID the client offered in ClientHello and the session ID embedded in
the SSL_SESSION returned by the external cache. If they do not match, the cached
session is released and ssl_get_prev_session() returns as a cache miss, forcing
a full handshake. Catching the mismatch here ensures the server never sends a
ServerHello that claims resumption of a session ID it cannot legitimately echo.
A mismatch unambiguously indicates one of the following:
- a corrupt cache entry
- an external cache implementation that returned the wrong session
- an active tampering attempt
In all three cases refusing resumption and falling back to a full handshake is
the correct response.
Signed-off-by: Daniel Kubec <kubec@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 27 12:36:49 2026
(Merged from https://github.com/openssl/openssl/pull/30517)
projects / thirdparty / openssl.git / commit
