OpenSSL: SessionTicket TLS extension problem

Question

I'm using an application which uses OpenSSL for client TLS side. We upgrade the OpenSSL version from 0.9.8e to 0.9.8k. And then TLS doesn't work...

Wireshark shows that the new version (with OpenSSL 0.9.8k) sends the client hello packet with a SessionTicket extension - and the server side responds with a fatal internal error.

The previous version sends an almost identical hello packet, but without the SessionTicket ext.

When I replaced TLSv1_client_method with SSLv23_client_method, everything worked fine - the sent client hello packet was a SSLv2 one (In the sniffer) without any extension (as it wasn't TLS but SSL?)

Is there a better way to disable this extension or to solve the problem in another way?

Thanks in advance, rursw1

Answer 1

Quote from RFC 5077: “Note that the encoding of an empty SessionTicket extension was ambiguous in RFC 4507. An RFC 4507 implementation may have encoded it as:

    00 23      Extension type 35
    00 02      Length of extension contents
    00 00      Length of ticket

or it may have encoded it the same way as this update:

    00 23      Extension type 35
    00 00      Length of extension contents

A server wishing to support RFC 4507 clients should respond to an empty SessionTicket extension encoded the same way as it received it. “ So the server I worked with supports RFC 4507 and not the newer 5077.

Removing it 'normally' using SSL_CTX_set_options with SSL_OP_NO_TICKET solved the problem.

Hope this will help someone...

EDIT: Well, this can be done also with the configuration flag -no-tlsext. (When running the perl Configure script). But, pay attention that in OpenSSL 0.9.8n and OpenSSL 1.0.0, you will need to comment out some parts of the source code or it won't compile - as the secure renegotiation (which is considered to be unsafe by itself) requires it.