Update from stable branch.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 74f5abe..4ca47fa 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c
@@ -2918,7 +2918,11 @@ { int ok; long n; - if (!s->session->tlsext_tick) + /* If we have no ticket or session ID is non-zero length (a match of + * a non-zero session length would never reach here) it cannot be a + * resumed session. + */ + if (!s->session->tlsext_tick || s->session->session_id_length) return 1; /* this function is called when we really expect a Certificate * message, so permit appropriate message length */