[openssl-users] Call for testing TLS 1.3

Matt Caswell matt at openssl.org
Thu Jun 21 09:50:41 UTC 2018

On 21/06/18 10:44, John Jiang wrote:
> If s_server doesn't use option -early_data, the NewSessionTicket won't
> contain early_data extension,
> and then in the second connection, s_client won't send early data even
> option -early_data is used.
> Right?


> Is it possible to take s_client to send early data, even though the
> server don't support 0-RTT.

You can start s_server with the -early_data option and connect to it via
s_client to get the session with the early_data extension in it. Then
stop and restart s_server without the early_data extension. Start
s_client and attempt to send early_data. The early_data will get
rejected and a full handshake will occur instead.

Or, another possibility is to do things as I originally suggested (so
that s_client sends early data that the server accepts), but then use
s_client *again* reusing the same session to send early data. The replay
protection will kick in, and s_server will refuse the early data.


More information about the openssl-users mailing list