[gnutls-devel] [resent][PATCH] fix SessionTicket when server opted for not renewing ticket

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Mar 21 11:25:01 CET 2016


On Fri, Mar 18, 2016 at 2:32 PM, Yuriy M. Kaminskiy <yumkam at gmail.com> wrote:
>>> After looking at rfc5077, it looks like server is allowed to resume
>>> session this way, and client should just keep old SessionTicket data.
>>> However, gnutls forgets it instead.
>>
>>   I am unable to understand which scenario does not work from the
>> description. Could you describe only the non-working scenario and if
>> possible provide some reproducer with gnutls-cli or a sample gnutls
>> application?
>
> You need to resume session 2 or more times, with server that opt for *not*
> renewing ticket (e.g. https://www.google.com show this behavior for me).
> Run
> $ wireshark-gtk -p -f 'tcp && port https' &
> Set filter to ssl.handshake, start capture.
> $ gnutls-cli --inline-commands www.google.com
> ^resume^
> ^resume^

That seems to be a limitation of gnutls-cli.
gnutls_session_get_data2() can only be called on non-resumed sessions,
and gnutls-cli does call it on resumed as well causing the issue that
you notice. Fixing gnutls-cli to conform to the documented behavior
fixes the issue. Could that be the same happening in curl?

I'm thinking if that's a commonly used pattern maybe we can fix the
API to store any value provided by gnutls_session_set_data() and
return the same value by gnutls_session_get_data*() if it is not a
resumed value. This however would increase memory usage in such a
session.

regards,
Nikos



More information about the Gnutls-devel mailing list