[openssl-users] Why was early data rejected?

Wed Sep 12 13:04:32 UTC 2018

I got the points!
1. should not use -www option on server side
2. Possibly, no session ticket was saved in the first connection with the
below command,
echo "M" | openssl s_client -trace -state -CAfile ca.cer -tls1_3 -sess_out
openssl.sess -connect localhost:9443
The client exited so quickly that didn't receive sever's session ticket.

On Wed, Sep 12, 2018 at 8:16 PM Matt Caswell <matt at openssl.org> wrote:

> Were you using the -www option to s_server before? You didn't mention it
> in your original email, but in this log it shows you using it.
>
> Try without that option.
>
> Matt
>
>
> On 12/09/18 12:25, John Jiang wrote:
> > Very strange. I re-tried the same case, but the resumption failed.
> > The attached logs contain the full outputs in the both connections on
> > server and client sides.
> >
> > On Wed, Sep 12, 2018 at 7:09 PM Matt Caswell <matt at openssl.org
> > <mailto:matt at openssl.org>> wrote:
> >
> >     Nothing particularly unexpected in there. Could you send me the
> s_server
> >     log including *both* connections, i.e. the original connection
> attempt
> >     to create the session, followed by the subsequent resume.
> >
> >     Thanks
> >
> >     Matt
> >
> >
> >     On 12/09/18 11:50, John Jiang wrote:
> >     > Could you please take a look at the attached s_client.log?
> >     > It was outputted by s_client with options -trace and -state in the
> >     > second connection.
> >     >
> >     > Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>
> >     <mailto:matt at openssl.org <mailto:matt at openssl.org>>> 于2018年9月12
> >     > 日周三 下午4:48写道：
> >     >
> >     >
> >     >
> >     >     On 12/09/18 09:34, John Jiang wrote:
> >     >     >
> >     >     > It looks the session was resumed, but early data still was
> >     rejected.
> >     >
> >     >     Hmm. Strange. I just tried the exact same sequence of commands
> >     and it
> >     >     was accepted.
> >     >
> >     >     One thing to try is to recompile OpenSSL with the
> >     "enable-ssl-trace"
> >     >     config option. Then you can add the "-trace" option to
> >     s_client and/or
> >     >     s_server which might give a better clue as to why it is
> rejected.
> >     >
> >     >     Matt
> >     >
> >     >     --
> >     >     openssl-users mailing list
> >     >     To unsubscribe:
> >     https://mta.openssl.org/mailman/listinfo/openssl-users
> >     >
> >     >
> >     >
> >     --
> >     openssl-users mailing list
> >     To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
> >
> >
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180912/9c9ef5cd/attachment.html>