Not able to retreive session ticket both at server and client level

Matt Caswell matt at openssl.org
Tue Nov 8 10:49:39 UTC 2022



On 08/11/2022 06:09, Sethuraman Venugopal wrote:
> Dear Team,
> 
> *Problem Statement* : The session is resumable, but still the session 
> does not have any tickets after calling SL_CTX_sess_set_new_cb() and 
> SSL_new_session_ticket()
> 
> This is the method *TLS_server_method* and *TLS_client_method* we are 
> using at server and client level respectively.
> 
> Please guide me in getting the session ticket at server and client level.
> 
> *Code snippet and the output at server side *
> 
> printf("\n The session resumable is : [%d]", 
> SSL_SESSION_is_resumable(SSL_get_session(ssl)));
> 
> *Output* : The session resumable is : [1]
> 
> // set an call back function at session to be triggered during sending 
> ticket to client
> 
> SL_CTX_sess_set_new_cb(ctx, new_session_cb);
> 
> printf("\nThe new session ticket : [%d]",SSL_new_session_ticket(ssl));

This requests that a new session ticket be sent, but doesn't actually 
send it yet. From the docs:

"SSL_new_session_ticket() is used by a server application to request 
that a new
ticket be sent when it is safe to do so.  New tickets are only allowed to be
sent in this manner after the initial handshake has completed, and only for
TLS 1.3 connections.  By default, the ticket generation and transmission are
delayed until the server is starting a new write operation, so that it is
bundled with other application data being written and properly aligned to a
record boundary."

So, this will only work if you have negotiated TLSv1.3, and the ticket 
will only be sent the next time you call `SSL_write()`.



> 
> *Output* : The new session ticket : [1]
> 
> printf("\nThe session has ticket 
> [%d]",SSL_SESSION_has_ticket(SSL_get0_session(ssl)));
> 
> *Output* : The session has ticket [0]
> 
> *// Able to set the ticket appdata at server and able to retrevie the 
> value at server level but not at client level*
> 
> SSL_SESSION_set1_ticket_appdata(SSL_get_session(ssl), m_ServerChallenge, 
> 32);

Ticket app data gets encrypted into the session ticket when the server 
creates it. The client never decrypts a session ticket - its just a 
"blob" of data. App data set on the server side is not accessible to the 
client.

Matt

> 
> unsigned char         m_ServerChallenge1[32];
> 
> unsigned int sid_ctx_len1 = 0;
> 
> SSL_SESSION_get0_ticket_appdata(SSL_get_session(ssl),m_ServerChallenge1, 
> &sid_ctx_len1);
> 
> *// Able to print the above value at server side,but not able to get the 
> same at client side.*
> 
> Regards,
> 
> Sethu V
> 


More information about the openssl-users mailing list