<div dir="ltr"><div dir="ltr"><div>I got the points!<br></div><div>1. should not use -www option on server side<br></div><div>2. Possibly, no session ticket was saved in the first connection with the below command,<br></div><div>echo "M" | openssl s_client -trace -state -CAfile ca.cer -tls1_3 -sess_out openssl.sess -connect localhost:9443<br></div><div>The client exited so quickly that didn't receive sever's session ticket.</div><div><div><br><div class="gmail_quote"><div dir="ltr">On Wed, Sep 12, 2018 at 8:16 PM Matt Caswell <<a href="mailto:matt@openssl.org">matt@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Were you using the -www option to s_server before? You didn't mention it<br>
in your original email, but in this log it shows you using it.<br>
<br>
Try without that option.<br>
<br>
Matt<br>
<br>
<br>
On 12/09/18 12:25, John Jiang wrote:<br>
> Very strange. I re-tried the same case, but the resumption failed.<br>
> The attached logs contain the full outputs in the both connections on<br>
> server and client sides.<br>
> <br>
> On Wed, Sep 12, 2018 at 7:09 PM Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>> wrote:<br>
> <br>
> Nothing particularly unexpected in there. Could you send me the s_server<br>
> log including *both* connections, i.e. the original connection attempt<br>
> to create the session, followed by the subsequent resume.<br>
> <br>
> Thanks<br>
> <br>
> Matt<br>
> <br>
> <br>
> On 12/09/18 11:50, John Jiang wrote:<br>
> > Could you please take a look at the attached s_client.log?<br>
> > It was outputted by s_client with options -trace and -state in the<br>
> > second connection.<br>
> ><br>
> > Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>><br>
> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a> <mailto:<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>>>> 于2018年9月12<br>
> > 日周三 下午4:48写道:<br>
> ><br>
> ><br>
> ><br>
> > On 12/09/18 09:34, John Jiang wrote:<br>
> > ><br>
> > > It looks the session was resumed, but early data still was<br>
> rejected.<br>
> ><br>
> > Hmm. Strange. I just tried the exact same sequence of commands<br>
> and it<br>
> > was accepted.<br>
> ><br>
> > One thing to try is to recompile OpenSSL with the<br>
> "enable-ssl-trace"<br>
> > config option. Then you can add the "-trace" option to<br>
> s_client and/or<br>
> > s_server which might give a better clue as to why it is rejected.<br>
> ><br>
> > Matt<br>
> ><br>
> > --<br>
> > openssl-users mailing list<br>
> > To unsubscribe:<br>
> <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
> ><br>
> ><br>
> ><br>
> -- <br>
> openssl-users mailing list<br>
> To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
> <br>
> <br>
> <br>
-- <br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</blockquote></div></div></div></div></div>