[openssl-users] Possible bug in 1.1.1-pre8 with NSTs and PSK in initial ClientHello handshake
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Aug 13 17:23:27 UTC 2018
> On Aug 13, 2018, at 1:00 PM, Henderson, Karl via openssl-users <openssl-users at openssl.org> wrote:
>
> According to RFC8446, Section C.4 “Servers SHOULD issue new tickets with every connection”.
>
> Yet, in file ssl/statem/extensions_srvr.c, method tls_parse_ctos_psk, s->ext.ticket_expected = 0, preventing the NST from being sent.
>
> This appears to be a bug – or am I missing something?
Have you observed behaviour different from the below documentation?
NAME
SSL_set_num_tickets, SSL_get_num_tickets, SSL_CTX_set_num_tickets,
SSL_CTX_get_num_tickets - control the number of TLSv1.3 session tickets
that are issued
SYNOPSIS
#include <openssl/ssl.h>
int SSL_set_num_tickets(SSL *s, size_t num_tickets);
size_t SSL_get_num_tickets(SSL *s);
int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx);
DESCRIPTION
SSL_CTX_set_num_tickets() and SSL_set_num_tickets() can be called for a
server application and set the number of session tickets that will be
sent to the client after a full handshake. Set the desired value (which
could be 0) in the num_tickets argument. Typically these functions
should be called before the start of the handshake.
The default number of tickets is 2; the default number of tickets sent
following a resumption handshake is 1 but this cannot be changed using
these functions. The number of tickets following a resumption
handshake can be reduced to 0 using custom session ticket callbacks
(see SSL_CTX_set_session_ticket_cb(3)).
--
Viktor.
More information about the openssl-users
mailing list