Add option to disable Extended Master Secret
authorTodd Short <tshort@akamai.com>
Mon, 10 Jul 2017 17:28:35 +0000 (13:28 -0400)
committerMatt Caswell <matt@openssl.org>
Fri, 15 Feb 2019 10:11:18 +0000 (10:11 +0000)
commit088dfa133561d7613b9391a56ddbce58f32c934a
tree46ebb1770ded52fd84e2202d80cac0ea9121b49f
parent9fc8f18f59f4a4c853466dca64a23b8af681bf1c
Add option to disable Extended Master Secret

Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either
an SSL or an SSL_CTX. When processing a ClientHello, if this flag
is set, do not indicate that the EMS TLS extension was received in
either the ssl3 object or the SSL_SESSION.  Retain most of the
sanity checks between the previous and current session during
session resumption, but weaken the check when the current SSL
object is configured to not use EMS.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3910)
12 files changed:
doc/man3/SSL_CONF_cmd.pod
doc/man3/SSL_CTX_set_options.pod
include/openssl/ssl.h
ssl/ssl_conf.c
ssl/statem/extensions.c
ssl/statem/extensions_clnt.c
ssl/statem/extensions_srvr.c
test/recipes/80-test_ssl_new.t
test/ssl-tests/16-certstatus.conf [deleted file]
test/ssl-tests/30-extended-master-secret.conf [new file with mode: 0644]
test/ssl-tests/30-extended-master-secret.conf.in [new file with mode: 0644]
test/sslapitest.c