[gnutls-devel] Server sends incorrect extensions for resumption handshake?

[Nikos Mavrogiannopoulos]

On 06/30/2013 04:52 AM, Peter Dettman wrote:

> Firstly, the ec_point_formats extension is included in the session
> resumption ServerHello. This appears to violate RFC 3546 2.3. "If [...]
> the older session is resumed, then the server MUST ignore extensions
> appearing in the client hello, and send a server hello containing no
> extensions[.]" (later RFC updates contain similar clauses) . Please
> understand that the problem is probably broader than just the
> ec_point_formats extension; the server shouldn't be sending any. The
> only exception to that rule that I am aware of is from RFC 5746,
> renegotiation_info, which appears to say that this extension is
> per-connection, and can always be sent. This is the second issue I want
> to raise: while gnutls-serv sends renegotiation_info during the initial
> handshake, it does _not_ send it during a resumption handshake.
> I am posting to the list instead of raising a bug report directly,
> because it's at least true that 'openssl s_server' also sends
> superfluous server extensions during resumption (it sends the
> renegotiation_info correctly though) . I would appreciate if anyone can
> enlighten me as to whether there is an unofficial standard in play here,
> or whether this should be considered a bug.

It looks like a bug, but if I remember well I refrained from being
strict-RFC compliant there since most other implementations at the time
weren't either. Thanks for letting know however, maybe it is time to fix
that once I find some time.

> Please contact me if you'd like replicate the problem, either via the
> BouncyCastle test code itself, or in some other way.

I'd appreciate if you sent replication instructions. Even if I cannot
check it immediately, it will help when I will actually try...

Thank you,
Nikos