[openssl-users] Double TLS 1.3 session ticket?

Yann Ylavic ylavic.dev at gmail.com
Wed Jun 20 21:31:24 UTC 2018


>>    Thanks, it does not happen with mozzilla implementation
>     (tls13.crypto.mozilla.org), is this openssl specific or part of the
>     specification?
>
> The specification allows a server to send one or more tickets, at its discretion.

OK thanks, I could find the relevant PR and rationale after more googling.

One caveat though, the info_callback()s can now be called multiple
times with SSL_CB_HANDSHAKE_START/DONE (for each ticket), same
possibly for others callbacks (if any) where the state could be
tracked. The s_client output from the original message is misleading
in this regard.

For instance in Apache httpd info_callback() is used to check for and
forbid client initiated renegotiations, not a big deal since they
shouldn't exist anymore with TLS 1.3 (so this check has been disabled
since it's enforced by openssl in the first place), but I wonder if
announcing the start then end of the same handshake multiple times
could/should be avoided (i.e. handshake ends after last ticket only)?


More information about the openssl-users mailing list