mirror of https://github.com/openssl/openssl
Don't fail if the PSK identity doesn't match
In 1.1.0 s_server if the PSK identity doesn't match what we have then a warning is printed and we continue the connection anyway. In 1.1.1, if TLSv1.3 is used and the identity doesn't match then we abort the connection. We should really be consistent with the old behaviour. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6659)
This commit is contained in:
parent
0edb109f97
commit
c9d6fdd6f7
|
@ -192,8 +192,11 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
|
|||
const SSL_CIPHER *cipher = NULL;
|
||||
|
||||
if (strlen(psk_identity) != identity_len
|
||||
|| memcmp(psk_identity, identity, identity_len) != 0)
|
||||
return 0;
|
||||
|| memcmp(psk_identity, identity, identity_len) != 0) {
|
||||
BIO_printf(bio_s_out,
|
||||
"PSK warning: client identity not what we expected"
|
||||
" (got '%s' expected '%s')\n", identity, psk_identity);
|
||||
}
|
||||
|
||||
if (psksess != NULL) {
|
||||
SSL_SESSION_up_ref(psksess);
|
||||
|
|
Loading…
Reference in New Issue