[openssl-dev] [openssl.org #4389] [PATCH] The NewSessionTicket message is not optional.

David Benjamin via RT rt at openssl.org
Mon Mar 7 21:56:25 UTC 2016

Per RFC 4507, section 3.3:

   This message [NewSessionTicket] MUST be sent if the
   server included a SessionTicket extension in the ServerHello.  This
   message MUST NOT be sent if the server did not include a
   SessionTicket extension in the ServerHello.

The presence of the NewSessionTicket message should be determined entirely
from the ServerHello without probing.

The SkipNewSessionTicket test in BoringSSL's test suite can be used to
repro this:


Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4389
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-The-NewSessionTicket-message-is-not-optional.patch
Type: application/octet-stream
Size: 1473 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160307/897575cc/attachment.obj>

More information about the openssl-dev mailing list