[openssl-users] RFC5077 ticket construction help

Henderson, Karl KHenderson at verisign.com
Wed Mar 28 17:37:39 UTC 2018

Ok, but I’d like to use TLS rather than Kerberos. I’m wondering if I could do something like this:

C sends a Client Hello with 0 length Session Ticket to B.
B sends back a NewSessionTicket to C in Server Hello.
C sets SSL_CTX_sess_set_new_cb(ctx, new_session_cb) and saves the session blob/ticket in the new_session_cb function indexed by the URL of B.
A contacts C with the URL of B
C looks up session ticket indexed by URL of B
C sends A the session ticket.
A contact B and sets the ticket using SSL_set_session_ticket_ext(ssl, ticket, ticket size)

Feasible? I’m trying something like this now but I can’t get it working. 


From: openssl-users <openssl-users-bounces at openssl.org> on behalf of Michael Sierchio <kudzu at tenebras.com>
Reply-To: "openssl-users at openssl.org" <openssl-users at openssl.org>
Date: Wednesday, March 28, 2018 at 12:45 PM
To: "openssl-users at openssl.org" <openssl-users at openssl.org>
Subject: [EXTERNAL] Re: [openssl-users] RFC5077 ticket construction help



Since there exists a reference implementation, and the source code is available, why not start there?  The symmetric key protocol is the basis of Kerberos.


- M


On Wed, Mar 28, 2018 at 9:26 AM, Henderson, Karl via openssl-users <openssl-users at openssl.org> wrote:

Need some help with RFC5077 ticket construction. I’d like to implement a type of Needham-Schroeder protocol where:

A wants to talk to B
A and B have a relationship with C
C constructs an RFC5077 ticket and gives it to A so that A can contact B

Are there any good examples of how to do this?


The problem I think I’m having the most difficulty with is understanding what I need to put into the encrypted_state portion of the session ticket.





openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



"Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred." 

- The Mahābhārata

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180328/db94c8b1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5263 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180328/db94c8b1/attachment-0001.bin>

More information about the openssl-users mailing list