[openssl-users] Double TLS 1.3 session ticket?

Matt Caswell matt at openssl.org
Wed Jun 20 21:49:17 UTC 2018

On 20/06/18 22:31, Yann Ylavic wrote:
>>>    Thanks, it does not happen with mozzilla implementation
>>     (tls13.crypto.mozilla.org), is this openssl specific or part of the
>>     specification?
>> The specification allows a server to send one or more tickets, at its discretion.
> OK thanks, I could find the relevant PR and rationale after more googling.
> One caveat though, the info_callback()s can now be called multiple
> times with SSL_CB_HANDSHAKE_START/DONE (for each ticket), same
> possibly for others callbacks (if any) where the state could be
> tracked. The s_client output from the original message is misleading
> in this regard.
> For instance in Apache httpd info_callback() is used to check for and
> forbid client initiated renegotiations, not a big deal since they
> shouldn't exist anymore with TLS 1.3 (so this check has been disabled
> since it's enforced by openssl in the first place), but I wonder if
> announcing the start then end of the same handshake multiple times
> could/should be avoided (i.e. handshake ends after last ticket only)?

They really are individual transactions, so it makes much more sense to
me to signal each one as a separate handshake. On the client side we
have little choice because we don't know how many tickets the server
will send. It seems odd to do it differently on the server.


More information about the openssl-users mailing list