there is no minimum length for session IDs

PR: 274
[previous commit did not include all the changes]

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 227708981ca1183c7e59e459954dbebe8e13f7bf..b58321628b5060379eff9788809626b71a501420 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -638,23 +638,13 @@ static int ssl3_get_server_hello(SSL *s)
                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
                goto f_err;
                }
-
-       if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
-               {
-               /* SSLref returns 16 :-( */
-               if (j < SSL2_SSL_SESSION_ID_LENGTH)
-                       {
-                       al=SSL_AD_ILLEGAL_PARAMETER;
-                       SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
-                       goto f_err;
-                       }
-               }
        if (j != 0 && j == s->session->session_id_length
            && memcmp(p,s->session->session_id,j) == 0)
            {
            if(s->sid_ctx_length != s->session->sid_ctx_length
               || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
                {
+               /* actually a client application bug */
                al=SSL_AD_ILLEGAL_PARAMETER;
                SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
                goto f_err;