update to openssl-0.9.8i; tested by several, especially krw@

1 files changed, 8 insertions, 6 deletions

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 35f04afa4a..9ce726996d 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -734,6 +734,13 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
         /* Point after session ID in client hello */
         const unsigned char *p = session_id + len;
         unsigned short i;
+
+        /* If tickets disabled behave as if no ticket present
+         * to permit stateful resumption.
+         */
+        if (SSL_get_options(s) & SSL_OP_NO_TICKET)
+                return 1;
+
         if ((s->version <= SSL3_VERSION) || !limit)
                 return 1;
         if (p >= limit)
@@ -761,12 +768,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                         return 1;
                 if (type == TLSEXT_TYPE_session_ticket)
                         {
-                        /* If tickets disabled indicate cache miss which will
-                         * trigger a full handshake
-                         */
-                        if (SSL_get_options(s) & SSL_OP_NO_TICKET)
-                                return 0;
-                        /* If zero length not client will accept a ticket
+                        /* If zero length note client will accept a ticket
                          * and indicate cache miss to trigger full handshake
                          */
                         if (size == 0)