Commit 0c3fab7e authored by Daiki Ueno's avatar Daiki Ueno

Bug 1471967, skip unrecognized session tickets in TLS 1.3, r=ekr

Summary: In TLS 1.3, upon receiving a malformed ticket, server doesn't immediately abort the connection, but rejects client's resumption attempt.

Reviewers: ekr

Reviewed By: ekr

Subscribers: mt, ekr, kaie, ueno, rrelyea, HubertKario

Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3

Bug #: 1471967

Differential Revision:

extra : rebase_source : 8d81c1c91d58f363f29ef1e5084cfcdf142f3d38
extra : amend_source : 518ae54337eafe0fa5054637cc9b8a2aea5c8282
parent 3d3560bb
......@@ -276,8 +276,13 @@ TEST_P(TlsConnectGeneric, ConnectResumeCorruptTicket) {
ASSERT_NE(nullptr, hmac_key);
ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
ConnectExpectAlert(server_, illegal_parameter);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
} else {
ConnectExpectAlert(server_, illegal_parameter);
// This callback switches out the "server" cert used on the server with
......@@ -1174,17 +1174,18 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket,
if (rv != SECSuccess) {
SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
/* Fail with no ticket if we're not a recipient. Otherwise
* it's a hard failure. */
SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
return SECFailure;
/* Ignore decryption failure if we are doing TLS 1.3; that
* means the server rejects the client's resumption
* attempt. In TLS 1.2, however, it's a hard failure, unless
* it's just because we're not the recipient of the ticket. */
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
return SECSuccess;
/* We didn't have the right key, so pretend we don't have a
* ticket. */
SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
goto loser;
rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment