1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/source4/lib/tls
Noel Power 0fd7b13ebc s4:lib:tls: Don't negotiate session resumption with session tickets
tls_tstream can't properly handle 'New Session Ticket' messages
sent 'after' the client sends the 'Finished' message.

This is needed because some servers (at least elasticsearch) wait till
they get 'Finished' messgage from the client before sending the
"New Ticket" message.

Without this patch what typcially happens is when the application code
sends data it then tries to read the response, but, instead of the
response to the request it actually recieves the "New Session Ticket"
instead. The "New Session Ticket" message gets processed by the upper layer
logic e.g.
   tstream_tls_readv_send
       ->tstream_tls_readv_crypt_next
           ->tstream_tls_retry_read
               ->gnutls_record_recv

instead of the core gnutls routines.

This results in the response processing failing due to the
currently 'unexpected' New Ticket message.

In order to avoid this scenario we can ensure the client doesn't
negotiate resumption with session tickets.

Signed-off-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 09:58:45 UTC 2022 on sn-devel-184
2022-11-16 09:58:44 +00:00
..
tls_tstream.c s4:lib:tls: Don't negotiate session resumption with session tickets 2022-11-16 09:58:44 +00:00
tls.h lib/tls: Remove unused header definitions from source4/lib/tls/tls.h (tls socket wrapper) 2019-06-26 04:12:32 +00:00
tlscert.c s4:tls: Fix generating TLS RSA certs with FIPS140-2 2020-04-08 13:02:39 +00:00
wscript_build lib/tls: Remove unused source4/lib/tls/tls.c (tls socket wrapper) 2019-05-06 05:46:11 +00:00