Fix regression with session cache use by clients

author Benjamin Kaduk <bkaduk@akamai.com>

Mon, 16 Apr 2018 12:32:02 +0000 (07:32 -0500)

committer Benjamin Kaduk <kaduk@mit.edu>

Tue, 1 May 2018 16:19:20 +0000 (11:19 -0500)
author Benjamin Kaduk <bkaduk@akamai.com>
Mon, 16 Apr 2018 12:32:02 +0000 (07:32 -0500)
committer Benjamin Kaduk <kaduk@mit.edu>
Tue, 1 May 2018 16:19:20 +0000 (11:19 -0500)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index 1e24f8446dcc161160405362ff9bcf084162aba3..2a57831bc7b27526e273303874c3ae19505d330f 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3336,12 +3336,13 @@ void ssl_update_cache(SSL *s, int mode)
      /*
       * If sid_ctx_length is 0 there is no specific application context
       * associated with this session, so when we try to resume it and
-     * SSL_VERIFY_PEER is requested, we have no indication that this is
-     * actually a session for the proper application context, and the
-     * *handshake* will fail, not just the resumption attempt.
-     * Do not cache these sessions that are not resumable.
+     * SSL_VERIFY_PEER is requested to verify the client identity, we have no
+     * indication that this is actually a session for the proper application
+     * context, and the *handshake* will fail, not just the resumption attempt.
+     * Do not cache (on the server) these sessions that are not resumable
+     * (clients can set SSL_VERIFY_PEER without needing a sid_ctx set).
       */
-    if (s->session->sid_ctx_length == 0
+    if (s->server && s->session->sid_ctx_length == 0
              && (s->verify_mode & SSL_VERIFY_PEER) != 0)
          return;
author	Benjamin Kaduk <bkaduk@akamai.com>
	Mon, 16 Apr 2018 12:32:02 +0000 (07:32 -0500)
committer	Benjamin Kaduk <kaduk@mit.edu>
	Tue, 1 May 2018 16:19:20 +0000 (11:19 -0500)