diff options
| author | David Benjamin <davidben@chromium.org> | 2014-11-11 08:52:15 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2014-11-14 01:05:12 +0300 |
| commit | bdf5e72f50e25f0e45e825c156168766d8442dde (patch) | |
| tree | 316fb2d3877a529618767d8a415fe990c8a7a8e8 /ssl/test | |
| parent | 2f3ba910a2bdb9e7d19e712a827cdc80c8d8c777 (diff) | |
Don't resume sessions if the negotiated version doesn't match.
All of NSS, upstream OpenSSL, SChannel, and Secure Transport require, on the
client, that the ServerHello version match the session's version on resumption.
OpenSSL's current behavior is incompatible with all of these. Fall back to a
full handshake on the server instead of mismatch.
Add a comment on the client for why we are, as of
30ddb434bfb845356fbacb6b2bd51f8814c7043c, not currently enforcing the same in
the client.
Change-Id: I60aec972d81368c4ec30e2fd515dabd69401d175
Reviewed-on: https://boringssl-review.googlesource.com/2244
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'ssl/test')
| -rw-r--r-- | ssl/test/runner/runner.go | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index f8649d3c..91722239 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -1745,13 +1745,6 @@ func addResumptionVersionTests() { } suffix := "-" + sessionVers.name + "-" + resumeVers.name - // TODO(davidben): Write equivalent tests for the server - // and clean up the server's logic. This requires being - // able to give the shim a different set of SSL_OP_NO_* - // flags between the initial connection and the - // resume. Perhaps resumption should be tested by - // serializing the SSL_SESSION and starting a second - // shim. testCases = append(testCases, testCase{ name: "Resume-Client" + suffix, resumeSession: true, @@ -1789,6 +1782,27 @@ func addResumptionVersionTests() { }, expectedResumeVersion: resumeVers.version, }) + + var flags []string + if sessionVers.version != resumeVers.version { + flags = append(flags, "-expect-session-miss") + } + testCases = append(testCases, testCase{ + testType: serverTest, + name: "Resume-Server" + suffix, + flags: flags, + resumeSession: true, + config: Config{ + MaxVersion: sessionVers.version, + CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + }, + expectedVersion: sessionVers.version, + resumeConfig: &Config{ + MaxVersion: resumeVers.version, + CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + }, + expectedResumeVersion: resumeVers.version, + }) } } } |