Really fix SSLv2 session ID handling

PR: 377

diff --git a/CHANGES b/CHANGES
index 4b11fc9c5342d749f8cb3840c26b5485c59cebd9..c3176727e5a54700756d33e82521e8e666309574 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -375,6 +375,15 @@ TODO: bug: pad  x  with leading zeros if necessary
  
  Changes between 0.9.7 and 0.9.7a  [XX xxx 2003]
 
+  *) Another fix for SSLv2 session ID handling: the session ID was incorrectly
+     checked on reconnect on the client side, therefore session resumption
+     could still fail with a "ssl session id is different" error. This
+     behaviour is masked when SSL_OP_ALL is used due to
+     SSL_OP_MICROSOFT_SESS_ID_BUG being set.
+     Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
+     followup to PR #377.
+     [Lutz Jaenicke]
+
   *) IA-32 assembler support enhancements: unified ELF targets, support
      for SCO/Caldera platforms, fix for Cygwin shared build.
      [Andy Polyakov]

diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index c6319bb63da68cb4fa282f93eca2c5db274508b6..1d24dedc918b261552f0b9376079dbd124fa2c43 100644 (file)
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -1021,7 +1021,7 @@ static int get_server_finished(SSL *s)
                if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
                        {
                        if ((s->session->session_id_length > sizeof s->session->session_id)
-                           || (0 != memcmp(buf, s->session->session_id,
+                           || (0 != memcmp(buf + 1, s->session->session_id,
                                            (unsigned int)s->session->session_id_length)))
                                {
                                ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);