Don't send zero length session ID if stateless session resupmtion is

author Dr. Stephen Henson <steve@openssl.org>

Fri, 25 Apr 2008 16:27:04 +0000 (16:27 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 25 Apr 2008 16:27:04 +0000 (16:27 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 25 Apr 2008 16:27:04 +0000 (16:27 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 25 Apr 2008 16:27:04 +0000 (16:27 +0000)
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c

index 3d63e2e89db8b5e5973f4b8773fdcf4f2b6d04df..2ff4bc7ebdeb3dd494960e20753cbefa5fd37e52 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1145,8 +1145,16 @@ int ssl3_send_server_hello(SSL *s)
                  * session-id if we want it to be single use.
                  * Currently I will not implement the '0' length session-id
                  * 12-Jan-98 - I'll now support the '0' length stuff.
+                *
+                * We also have an additional case where stateless session
+                * resumption is successful: we always send back the old
+                * session id. In this case s->hit is non zero: this can
+                * only happen if stateless session resumption is succesful
+                * if session caching is disabled so existing functionality
+                * is unaffected.
                  */
-               if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
+               if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+                       && !s->hit)
                         s->session->session_id_length=0;
  
                 sl=s->session->session_id_length;
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 25 Apr 2008 16:27:04 +0000 (16:27 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 25 Apr 2008 16:27:04 +0000 (16:27 +0000)