Getting SSL_SESSION remaining lifetime

Viktor Dukhovni openssl-users at dukhovni.org
Thu Sep 16 15:59:48 UTC 2021


On Thu, Sep 16, 2021 at 04:11:49PM +0200, Hubert Kario wrote:

> On Thursday, 16 September 2021 04:41:44 CEST, Jaya Muthiah wrote:
> >
> > I am trying to get the remaining lifetime of the ticket so that 
> > server can decide to renew ticket or not
> 
> TLS 1.3 tickets are single use. If the ticket was used by a client,
> and you expect it to make a connection in the future, server needs to
> send a new one.

This is wrong both in terms of specification and the extant OpenSSL
implementation.

The Postfix SMTP server arranges to accept multi-use tickets without
reissuing replacement tickets when the original ticket is still good for
reuse.  Ticket reuse is well suited to the MTA-to-MTA use-case where
"privacy" is not only a concern but in fact undesirable.  MTAs often
reject traffic from senders with no PTR records, generic PTR records,
poor IP reputation, ....

The Internet does not solely consist of browser traffic from portable
devices at wifi hotspots to taboo web sites.

-- 
    Viktor.


More information about the openssl-users mailing list