Do not permit stateless session resumption is session IDs mismatch.

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 7b3eb7ab0257987a8184397670022655b39d71f1..648488b0636963e4185dbb711ef61756ff47c423 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2686,7 +2686,11 @@ static int ssl3_check_finished(SSL *s)
        {
        int ok;
        long n;
-       if (!s->session->tlsext_tick)
+       /* If we have no ticket or session ID is non-zero length (a match of
+        * a non-zero session length would never reach here) it cannot be a
+        * resumed session.
+        */
+       if (!s->session->tlsext_tick || s->session->session_id_length)
                return 1;
        /* this function is called when we really expect a Certificate
         * message, so permit appropriate message length */