From 4a1bd6b935ca5c5b70408a60036312d4825fd24e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 5 May 2019 19:23:37 +0100 Subject: OpenSSL: better handling of $tls_{in,out}_certificate_verified under resumption --- doc/doc-txt/experimental-spec.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 211841f3f..aa7046e58 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -993,15 +993,16 @@ Observability: New log_selector "tls_resumption", appends an asterisk to the tls_cipher "X=" element. - Variables $tls_{in,out}_resumption have bit 0-4 indicating respectively + Variables $tls_{in,out}_resumption have bits 0-4 indicating respectively support built, client requested ticket, client offered session, server issued ticket, resume used. A suitable decode list is provided in the builtin macro _RESUME_DECODE for ${listextract {}{}}. Issues: In a resumed session: - $tls_{in,out}_certificate_verified will be unset (undler OpenSSL) - verify = certificate will be false (undler OpenSSL) + $tls_{in,out}_certificate_verified will be set, and verify = certificate + will be true, when verify failed but tls_try_verify_hosts allowed the + connection (under OpenSSL) $tls_{in,out}_cipher will have values different to the original (under GnuTLS) $tls_{in,out}_ocsp will be "not requested" or "no response" -- cgit v1.2.3