[openssl-users] Double TLS 1.3 session ticket?

Yann Ylavic ylavic.dev at gmail.com
Wed Jun 20 22:17:26 UTC 2018

On Wed, Jun 20, 2018 at 11:49 PM, Matt Caswell <matt at openssl.org> wrote:
> On 20/06/18 22:31, Yann Ylavic wrote:
>> but I wonder if
>> announcing the start then end of the same handshake multiple times
>> could/should be avoided (i.e. handshake ends after last ticket only)?
> They really are individual transactions, so it makes much more sense to
> me to signal each one as a separate handshake. On the client side we
> have little choice because we don't know how many tickets the server
> will send. It seems odd to do it differently on the server.

Right but if s_server had handled SSL_CB_HANDSHAKE_START/DONE in its
info callback (like s_client), you'd see "SSL negotiation finished
successfully" after each ticket, even if the server knows (or could).
They are not really transactions since the client isn't supposed to
send anything in between, it's still part of the initial handshake
IMHO, and the flush seems not really needed either until the last
Looks like it's missing some state in the machine.


More information about the openssl-users mailing list