Re: [Help-gnutls] client certificate authentication

[Nikos Mavrogiannopoulos]

Tristan Hill wrote:
> I have done some more investigation with ssldump:
[...]
> I'm unsure if this is valid behaviour from openssl however.

Thank you. I'm also not sure if this is a valid behavior from us. I
attach a patch, and I'd appreciate if you check and see that it solves
you issue.

The attached patch tries stay on the safe side and don't try to upgrade
the TLS version on a rehandshake. I'm not sure whether this is the right
thing to do, although performing a rehandshake to upgrade the TLS
version seems quite unlikely.

regards,
Nikos

diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 58880ca..8086af1 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1705,12 +1705,16 @@ _gnutls_send_client_hello (gnutls_session_t session, 
int again)
   opaque rnd[GNUTLS_RANDOM_SIZE];
   gnutls_protocol_t hver;
   opaque extdata[MAX_EXT_DATA_LENGTH];
+  int rehandshake = 0;
 
   opaque *SessionID =
     session->internals.resumed_security_parameters.session_id;
   uint8_t session_id_len =
     session->internals.resumed_security_parameters.session_id_size;
 
+  if (session->security_parameters.session_id_size)
+    rehandshake = 1;
+
   if (SessionID == NULL)
     session_id_len = 0;
   else if (session_id_len == 0)
@@ -1734,7 +1738,12 @@ _gnutls_send_client_hello (gnutls_session_t session, int 
again)
        * version number to the previously established.
        */
       if (SessionID == NULL)
-       hver = _gnutls_version_max (session);
+        {
+          if (rehandshake) /* already negotiated version thus version_max == 
negotiated version */
+            hver = session->security_parameters.version;
+          else
+           hver = _gnutls_version_max (session);
+        }
       else
        {                       /* we are resuming a session */
          hver = session->internals.resumed_security_parameters.version;