<div dir="ltr"><div>Hi Matt,<br></div>Thanks for your reply!<br><div><div class="gmail_extra"><br><div class="gmail_quote">2018-05-23 20:33 GMT+08:00 Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span>:<span class="gmail-"></span><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
To test resumption first create a full handshake TLSv1.3 connection and<br>
save the session:<br>
<br>
$ openssl s_server -cert cert.pem -key key.pem<br>
$ openssl s_client -sess_out session.pem<br>
<br>
Close the s_client instance by entering "Q" followed by enter. Then<br>
(without closing the s_server instance) resume the session:<br>
<br>
$ openssl s_client -sess_in session.pem<br></blockquote><div>This way looks the same to test resumption on TLS 1.2.<br><br></div><div>The followings are some logs from my test.<br></div><div>The first connection:<br></div><div>---<br>New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384<br>Server public key is 256 bit<br>Secure Renegotiation IS NOT supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>Early data was not sent<br>SSL-Session:<br> Protocol : TLSv1.3<br> Cipher : TLS_AES_256_GCM_SHA384<br> Session-ID: <br> Session-ID-ctx: <br> Master-Key: B4A20A467729A8179ECE5912AD87A0E5A784B8573A6F98CB414498142A10A37593B10DE254197A98E05CE65BDD664776<br> PSK identity: None<br> PSK identity hint: None<br> SRP username: None<br> Start Time: 1527153377<br> Timeout : 7200 (sec)<br> Verify return code: 0 (ok)<br> Extended master secret: no<br>---<br><br>The second connection:<br></div><div>---<br>Reused, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384<br>Server public key is 256 bit<br>Secure Renegotiation IS NOT supported<br>Compression: NONE<br>Expansion: NONE<br>No ALPN negotiated<br>Early data was not sent<br>SSL-Session:<br> Protocol : TLSv1.3<br> Cipher : TLS_AES_256_GCM_SHA384<br> Session-ID: 601F249C2033D5E5DF23D3380E6A2D81B335AF420D59849BB2023C415D0553C5<br> Session-ID-ctx: <br> Master-Key: 68695BD547856C14E04C747CE884F876B1564DADC66F28CD24B95DF3240FE0C0F93F59ED650B5EE45F6D3EA40A71C993<br> PSK identity: None<br> PSK identity hint: None<br> SRP username: None<br> TLS session ticket lifetime hint: 7200 (seconds)<br> TLS session ticket:<br> 0000 - 54 03 c8 0e e6 75 f3 ef-3f 7a 73 89 bc 87 69 ab T....u..?zs...i.<br> 0010 - cf e6 ff d1 f9 d8 24 36-0d e5 67 52 30 7c ea 0c ......$6..gR0|..<br> 0020 - c8 a2 67 ad 24 f6 29 cc-2c 95 48 36 e8 87 f6 4e ..g.$.).,.H6...N<br> 0030 - c1 e8 44 a7 49 9d d6 61-36 32 37 80 01 1a 67 38 ..D.I..a627...g8<br> 0040 - ee b7 fb 83 d8 fc 66 69-51 29 3e c4 81 38 c5 2f ......fiQ)>..8./<br> 0050 - 62 a2 fe 65 76 20 91 b4-fb 7b e3 eb 06 fa b7 d6 b..ev ...{......<br> 0060 - 1a 1e 2e b5 e0 ea c1 a3-d2 bf 12 bf 38 94 29 10 ............8.).<br> 0070 - 79 52 de 5d ef 30 d6 a7-01 a5 74 05 69 d1 31 61 yR.].0....t.i.1a<br> 0080 - a8 05 ac 83 d1 ab 17 82-c0 cc 1d 23 96 4e d2 af ...........#.N..<br> 0090 - 74 56 aa f2 24 8c 02 f9-90 b3 e1 65 8f 81 12 a1 tV..$......e....<br> 00a0 - 79 36 72 a1 cf 0e a7 f0-fb b5 d0 42 81 5f ca 13 y6r........B._..<br> 00b0 - 24 97 a3 92 40 07 bd 5b-2c 3e 9d e8 af 3e f0 56 $...@..[,>...>.V<br> 00c0 - 9d 00 86 b2 30 fe 4b 68-c0 2e 17 d6 aa a7 5f 5b ....0.Kh......_[<br> 00d0 - 3f 0f 30 81 a4 2b a1 fd-f6 b5 8c 3c 4e 03 cb de ?.0..+.....<N...<br><br> Start Time: 1527153377<br> Timeout : 7200 (sec)<br> Verify return code: 0 (ok)<br> Extended master secret: no<br>---<br><br></div><div>Should I see PSK identity here? Or, it is the TLS session ticket.<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
A HelloRetryRequest will occur if the key share provided by the client<br>
is not acceptable to the server. By default the client will send an<br>
X25519 key share, so if the server does not accept that group then an<br>
HRR will result, e.g.<br>
<br>
$ openssl s_server -cert cert.pem -key key.pem -groups P-256<br>
$ openssl s_client<br></blockquote><div>It looks option "-groups" just specifies the most preferable named groups,<br>but other groups still could be negotiated. Right?<br></div><div><br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Of course a HelloRetryRequest all happens at the protocol layer and is<br>
invisible as far as a user of the command line apps is concerned. You<br>
will have to look at what happens "on the wire" to actually see it in<br>
action - for example by using wireshark. Alternatively you can compile<br>
OpenSSL with the "enable-ssl-trace" option, and pass the "-trace" flag<br>
to s_server or s_client to see what protocol messages are being exchanged.<br></blockquote><div>I found interesting things from trace logs.<br><br></div><div>BTW, the TLS 1.3 wiki [1] stats that the TLS 1.3 cipher suites are named:<br>TLS13-AES-256-GCM-SHA384<br>TLS13-CHACHA20-POLY1305-SHA256<br>TLS13-AES-128-GCM-SHA256<br>TLS13-AES-128-CCM-8-SHA256<br>TLS13-AES-128-CCM-SHA256<br></div><div>But with version 1.1.1-pre6, they are using the formal names,<br>like TLS_AES_256_GCM_SHA384.<br></div><div><br>[1] <a href="https://wiki.openssl.org/index.php/TLS1.3">https://wiki.openssl.org/index.php/TLS1.3</a><br></div><div><br></div><div>Thanks!<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Matt<br>
<span class="gmail-"><br>
<br>
<br>
> <br>
> 2018-04-29 18:43 GMT+08:00 Kurt Roeckx <<a href="mailto:kurt@roeckx.be">kurt@roeckx.be</a><br>
</span>> <mailto:<a href="mailto:kurt@roeckx.be">kurt@roeckx.be</a>>>:<br>
<span class="gmail-">> <br>
> The upcomming OpenSSL 1.1.1 release will have TLS 1.3 support. TLS<br>
> 1.3 brings a lot of changes that might cause incompatibility. For<br>
> an overview see <a href="https://wiki.openssl.org/index.php/TLS1.3" rel="noreferrer" target="_blank">https://wiki.openssl.org/<wbr>index.php/TLS1.3</a><br>
> <<a href="https://wiki.openssl.org/index.php/TLS1.3" rel="noreferrer" target="_blank">https://wiki.openssl.org/<wbr>index.php/TLS1.3</a>><br>
> <br>
> We are considering if we should enable TLS 1.3 by default or not,<br>
> or when it should be enabled. For that, we would like to know how<br>
> applications behave with the latest beta release.<br>
> <br>
> When testing this, it's important that both sides of the<br>
> connection support the same TLS 1.3 draft version. OpenSSL<br>
> currently implements draft 26. We would like to see tests<br>
> for OpenSSL acting as client and server.<br>
> <br>
> <a href="https://github.com/tlswg/tls13-spec/wiki/Implementations" rel="noreferrer" target="_blank">https://github.com/tlswg/<wbr>tls13-spec/wiki/<wbr>Implementations</a><br>
> <<a href="https://github.com/tlswg/tls13-spec/wiki/Implementations" rel="noreferrer" target="_blank">https://github.com/tlswg/<wbr>tls13-spec/wiki/<wbr>Implementations</a>> lists<br>
> other TLS 1.3 implementations and the draft they currently<br>
> support. Note that the versions listed there might not be for the<br>
> latest release. It also lists some https test servers.<br>
> <br>
> We would really like to see a diverse set of applictions being<br>
> tested. Please report any results you have to us.<br>
> <br>
> <br>
> Kurt<br>
> <br>
> -- <br>
> openssl-users mailing list<br>
> To unsubscribe:<br>
> <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</span>> <<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><wbr>><br>
<div class="gmail-HOEnZb"><div class="gmail-h5">> <br>
> <br>
> <br>
> <br>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div></div></div>