fix: new session ticket during try send results in tls write failure#1101
Open
brianvanderbeek-philips wants to merge 2 commits intomainfrom
Open
fix: new session ticket during try send results in tls write failure#1101brianvanderbeek-philips wants to merge 2 commits intomainfrom
brianvanderbeek-philips wants to merge 2 commits intomainfrom
Conversation
Contributor
|
Thanks for your first PR. We really appreciate it! |
Contributor
Dependency ReviewThe following issues were found:
Snapshot WarningsConsider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice. License Issuesexternal/crypto/mbedtls/CMakeLists.txt
external/crypto/micro-ecc/CMakeLists.txt
osal/freertos/CMakeLists.txt
external/crypto/tiny-aes128/CMakeLists.txt
osal/threadx/CMakeLists.txt
external/segger_rtt/CMakeLists.txt
external/args/CMakeLists.txt
external/protobuf/CMakeLists.txt
cmake/emil_test_helpers.cmake
lwip/lwip/CMakeLists.txt
infra/syntax/CMakeLists.txt
OpenSSF ScorecardScorecard details
Scanned Files
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances TLS 1.3 session management by adding logic to handle new session tickets received during client send operations. When a client receives a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET error during a write operation, the code now properly retrieves and stores the session ticket for future reconnection optimization.
Changes:
- Added conditional handling for TLS 1.3 new session ticket reception during client send operations
- Session ticket is now retrieved and marked as obtained when received
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+400
to
+402
| result = clientSession->GetSession(&sslContext); | ||
| clientSession->Obtained(); | ||
| assert(result == 0); |
There was a problem hiding this comment.
The result variable is reassigned from GetSession() but then used in the subsequent else if condition at line 405. This changes the control flow logic. If GetSession() returns a negative value other than MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET, it will incorrectly trigger the error handling block below. Store GetSession()'s return value in a separate variable to avoid interfering with the original error code.
Contributor
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 12 | 0 | 0 | 0.29s | |
| ✅ CPP | clang-format | 1054 | 7 | 0 | 0 | 7.73s |
| ✅ DOCKERFILE | hadolint | 2 | 0 | 0 | 0.31s | |
| ✅ JSON | jsonlint | 7 | 0 | 0 | 0.17s | |
| ✅ JSON | prettier | 7 | 0 | 0 | 0 | 0.53s |
| markdownlint | 6 | 0 | 4 | 0 | 1.16s | |
| ✅ MARKDOWN | markdown-table-formatter | 6 | 0 | 0 | 0 | 0.29s |
| ✅ REPOSITORY | checkov | yes | no | no | 20.22s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.05s | |
| ✅ REPOSITORY | grype | yes | no | no | 27.6s | |
| ✅ REPOSITORY | ls-lint | yes | no | no | 0.07s | |
| ✅ REPOSITORY | secretlint | yes | no | no | 7.99s | |
| ✅ REPOSITORY | syft | yes | no | no | 1.31s | |
| ✅ REPOSITORY | trivy | yes | no | no | 5.32s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 0.18s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 2.29s | |
| lychee | 139 | 1 | 0 | 7.7s | ||
| prettier | 22 | 1 | 1 | 0 | 0.7s | |
| ✅ YAML | v8r | 22 | 0 | 0 | 6.78s | |
| ✅ YAML | yamllint | 22 | 0 | 0 | 0.65s |
Detailed Issues
⚠️ SPELL / lychee - 1 error
[404] https://github.com/protocolbuffers/protobuf/releases/download/v$%7Bprotobuf_tag%7D/protoc-$%7Bprotobuf_version%7D-$%7Bos_postfix%7D.zip | Network error: Not Found
📝 Summary
---------------------
🔍 Total..........544
✅ Successful.....540
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........3
❓ Unknown..........0
🚫 Errors...........1
Errors in external/protoc/CMakeLists.txt
[404] https://github.com/protocolbuffers/protobuf/releases/download/v$%7Bprotobuf_tag%7D/protoc-$%7Bprotobuf_version%7D-$%7Bos_postfix%7D.zip | Network error: Not Found
⚠️ MARKDOWN / markdownlint - 4 errors
external/crypto/tiny-aes128/README.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "### Tiny AES128 in C"]
external/crypto/tiny-aes128/README.md:29 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
external/crypto/tiny-aes128/README.md:39 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
external/crypto/tiny-aes128/README.md:49 error MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
⚠️ YAML / prettier - 1 error
[error] Explicitly specified pattern "documents/modules/ROOT/examples/clangformat.yaml" is a symbolic link.
.clusterfuzzlite/project.yaml 35ms (unchanged)
.github/dependabot.yml 17ms (unchanged)
.github/workflows/ci.yml 80ms (unchanged)
.github/workflows/dependency-scanner.yml 17ms (unchanged)
.github/workflows/documentation.yml 9ms (unchanged)
.github/workflows/fuzzing-batch.yml 12ms (unchanged)
.github/workflows/fuzzing-cron.yml 6ms (unchanged)
.github/workflows/fuzzing-pr.yml 7ms (unchanged)
.github/workflows/linting-formatting.yml 13ms (unchanged)
.github/workflows/release-please.yml 12ms (unchanged)
.github/workflows/security.yml 6ms (unchanged)
.github/workflows/social-interaction.yml 4ms (unchanged)
.github/workflows/static-analysis.yml 9ms (unchanged)
.github/workflows/validate-pr.yml 11ms (unchanged)
.ls-lint.yml 3ms
.mega-linter.yml 3ms (unchanged)
antora-playbook-branch.yml 3ms (unchanged)
antora-playbook-site.yml 3ms (unchanged)
documents/antora.yml 4ms (unchanged)
documents/supplemental-ui/ui.yml 1ms (unchanged)
mull.yml 3ms (unchanged)
See detailed reports in MegaLinter artifacts
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,CPP_CLANG_FORMAT,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GRYPE,REPOSITORY_LS_LINT,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R
|
BarisTanyeri
reviewed
Feb 9, 2026
| #ifdef MBEDTLS_SSL_PROTO_TLS1_3 | ||
| else if (!server && result == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) | ||
| { | ||
| result = clientSession->GetSession(&sslContext); |
Contributor
There was a problem hiding this comment.
I see this is now being duplicated in multiple places, perhaps it now warrants an extraction :)
BarisTanyeri
approved these changes
Feb 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces an enhancement to the TLS connection handling in
ConnectionMbedTls.cpp, specifically for TLS 1.3 support. The main change is the addition of logic to handle the receipt of a new session ticket on the client side, improving session management and compliance with TLS 1.3.TLS 1.3 session ticket handling:
MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) and trigger session retrieval and state update viaclientSession->GetSessionandclientSession->Obtained. This ensures proper session management for TLS 1.3 connections.