SSLEngine improper close invalidates session
Moritz Bechler
bechler at agno3.eu
Sun Apr 24 19:21:04 UTC 2016
Hi,
Debugging a session resumption issue I found that SSLEngine.closeInbound
will always invalidate the TLS session if no close_notify alert has been
received.
This behavior is no longer mandated by the TLS specification (RFC 5246
7.2.1):
close_notify
This message notifies the recipient that the sender will not send
any more messages on this connection. Note that as of TLS 1.1,
failure to properly close a connection no longer requires that a
session not be resumed. This is a change from TLS 1.0 to conform
with widespread implementation practice.
and there are a couple of broken clients around that do not send
close_notify at all (e.g. the Microsoft ones) so the current behavior
will cause failed resumptions/full handshakes for these clients.
Any thoughts on this?
regards
Moritz
More information about the security-dev
mailing list