Some quick comments below:
Alan DeKok wrote:
>So it's possible for a malicious client to get the ticket, and close the
>connection without >sending a client cert. Then, if the EAP server doesn't
>destroy the ticket, the client can >reconnect.
The resumption_master_secret includes the client finished so the client in your
handshake with client authentication should not be able to reconnect, if it can
it is an OpenSSL bug. Alternatively the server did not ask for client
authentication and it is ok that the client reconnects.
>The packet flows in Figure 2 of draft-14 shows only one exchange of session
>tickets, not 2.
Looks to me that the Figure 2 of draft-14 provisions two tickets...?
EAP-Request/
EAP-Type=EAP-TLS
(TLS NewSessionTicket,
TLS NewSessionTicket,
<-------- TLS close_notify)
Cheers,
John
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
