It's a known master-only bug that I stumbled over myself independently
yesterday.
The fix is here:
https://github.com/openssl/openssl/pull/20387
It got its final approval earlier today, so should go in tomorrow.
Matt
On 28/02/2023 16:32, Stephen Farrell wrote:
Hiya,
I had problems with some ECH tests doing early data part
of which seems to be an underlying bug. Happy to create a
PR to fix if this is right, but figured worth checking I
wasn't getting something wrong first.
The issue seems to be interpreting ticket lifetimes on the
server in seconds when those are in ms, but then comparing
that to a ms expiry, giving basically ~1s for using any
ticket.
The fix seems to be this change (top one working) in
ssl/statem/extensions_srvr.c:
< age = ossl_time_subtract(ossl_ms2time(ticket_agel),
< ossl_ms2time(sess->ext.tick_age_add));
---
> age = ossl_time_subtract(ossl_seconds2time(ticket_agel),
> ossl_seconds2time(sess->ext.tick_age_add)
As I say if that's right, happy to make a PR but it
seems a bit odd that that'd not have been caught in
tests. (Though maybe automated tests all run too
quickly to hit the problem?)
Cheers,
S.
