From 7eae47e0774ba1910dc17523f4e7e78f4cc4c834 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 23 Oct 2024 12:32:10 +0200 Subject: [PATCH] Send a new ticket when rejecting a ticket and tickets enabled --- src/tls.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/tls.c b/src/tls.c index 48161c6da8..e7101f415b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -5905,13 +5905,24 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, const byte* input, /* SERVER: ticket is peer auth. */ ssl->options.peerAuthGood = 1; } - } else if (ret == WOLFSSL_TICKET_RET_REJECT) { + } else if (ret == WOLFSSL_TICKET_RET_REJECT || + ret == WC_NO_ERR_TRACE(VERSION_ERROR)) { WOLFSSL_MSG("Process client ticket rejected, not using"); + if (ret == WC_NO_ERR_TRACE(VERSION_ERROR)) + WOLFSSL_MSG("\tbad TLS version"); + ssl->options.rejectTicket = 1; - ret = 0; /* not fatal */ - } else if (ret == WC_NO_ERR_TRACE(VERSION_ERROR)) { - WOLFSSL_MSG("Process client ticket rejected, bad TLS version"); - ssl->options.rejectTicket = 1; + /* If we have session tickets enabled then send a new ticket */ + if (!TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET)) { + ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) { + ret = 0; + TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); + ssl->options.createTicket = 1; + ssl->options.useTicket = 1; + } + } ret = 0; /* not fatal */ } else if (ret == WOLFSSL_TICKET_RET_FATAL) { WOLFSSL_MSG("Process client ticket fatal error, not using");