[openssl-dev] TLS1.3 NewSessionTicket format

[Hubert Le Van Gong]

Greetings,

We're doing some testings around TLS1.3 and in particular we're looking at
session resumption.

We've captured some of the NewSessionTicket msgs sent by the server (Nginx
over openssl 1.1.1-dev) and have a hard time reconciling their format with
draft 20 of the TLS1.3 spec.

Here's the details:

04 00 00 e4 00 00 02 58 0a 4d cd d9 00 d0 e3 53
f7 54 bf f9 b1 af 89 e1 3f cc 27 4a 20 b6 01 75
2a 5c 1e 1a a0 7b c4 b1 63 a8 89 b4 5f 15 fb 87
02 9f e4 5c 2c d1 cb ca 4a ae 52 45 1a c9 bf 91
a3 47 02 1d 01 4b de f5 23 5e 25 e9 d3 d2 53 6e
98 cb 7c 69 25 db 89 1c c6 3e a6 10 fd ee 18 b3
f4 8a ac 50 d0 17 6c a2 93 fa 36 c5 44 7d 75 1c
98 cb 4f 42 66 3d b1 06 72 16 49 8f 07 05 c1 05
59 48 cc bf e5 12 f1 d4 bd e2 20 df 39 98 cf 29
d5 f5 09 7f df da 48 9d 74 10 19 cd 60 ac 7a c8
db de 1b 96 02 bc 1f 60 2b d5 49 48 ab 0a 45 5f
75 d5 a7 bb 99 ec 84 4c 43 4b 78 de 43 7f 90 e6
87 0a 62 7e ee 66 d1 cb 26 8f 36 9f 1a 09 ec e2
fb 65 5f 3d 0b 19 e1 06 55 09 e2 07 ae 5c 00 08
00 2a 00 04 00 00 40 00

The blue hex numbers (last 10 bytes) do correctly map to the only allowed
extension, early_data and contains a max_early_data_size set to 16k).

>From the TLS draft 20 spec, the red bytes (8 first bytes) are supposed to
correspond to ticket_lifetime and ticket_age_add.
The first issue is that the values of these fields seem very weird (04 00
00 e4 for lifetime??).

Also, this would lead to the next 2 bytes containing the length of the
ticket: 0a 4d   i.e. 2637 bytes.
This doesn't look right as the ticket length is clearly less than that.

I should add that we have captured several NewSessionTicket and they all
look similar, albeit with different ticket length value (even though the
tickets actually have the same length).

Can anyone think of what we are missing?


Cheers,
Hubert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170630/8f906932/attachment.html>