On Wed, May 02, 2018 at 05:19:20PM +0100, Simon McVittie wrote: > * https://github.com/openssl/openssl/pull/5967 > > """ > Commit d316cdc introduced some extra > checks into the session-cache update procedure, intended to prevent > the caching of sessions whose resumption would lead to a handshake > failure, since if the server is authenticating the client, there needs to > be an application-set "session id context" to match up to the authentication > context. While that change is effective for its stated purpose, there > was also some collatoral damage introduced along with the fix -- clients > that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so > their usage of session caching was erroneously denied. > > Fix the scope of the original commit by limiting it to only acting > when the SSL is a server SSL. > """
Is it urgunt to fix this in testing/unstable? Kurt
