[openssl-users] Why was early data rejected?

Matt Caswell matt at openssl.org
Wed Sep 12 13:07:23 UTC 2018 


On 12/09/18 14:04, John Jiang wrote:
> I got the points!
> 1. should not use -www option on server side

Right - we should probably error out if you attempt to use those two
options in combination.


> 2. Possibly, no session ticket was saved in the first connection with
> the below command,
> echo "M" | openssl s_client -trace -state -CAfile ca.cer -tls1_3
> -sess_out openssl.sess -connect localhost:9443
> The client exited so quickly that didn't receive sever's session ticket.

Ahh! Makes sense!

Matt

> 
> On Wed, Sep 12, 2018 at 8:16 PM Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
> 
>     Were you using the -www option to s_server before? You didn't mention it
>     in your original email, but in this log it shows you using it.
> 
>     Try without that option.
> 
>     Matt
> 
> 
>     On 12/09/18 12:25, John Jiang wrote:
>     > Very strange. I re-tried the same case, but the resumption failed.
>     > The attached logs contain the full outputs in the both connections on
>     > server and client sides.
>     >
>     > On Wed, Sep 12, 2018 at 7:09 PM Matt Caswell <matt at openssl.org
>     <mailto:matt at openssl.org>
>     > <mailto:matt at openssl.org <mailto:matt at openssl.org>>> wrote:
>     >
>     >     Nothing particularly unexpected in there. Could you send me
>     the s_server
>     >     log including *both* connections, i.e. the original connection
>     attempt
>     >     to create the session, followed by the subsequent resume.
>     >
>     >     Thanks
>     >
>     >     Matt
>     >
>     >
>     >     On 12/09/18 11:50, John Jiang wrote:
>     >     > Could you please take a look at the attached s_client.log?
>     >     > It was outputted by s_client with options -trace and -state
>     in the
>     >     > second connection.
>     >     >
>     >     > Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>
>     <mailto:matt at openssl.org <mailto:matt at openssl.org>>
>     >     <mailto:matt at openssl.org <mailto:matt at openssl.org>
>     <mailto:matt at openssl.org <mailto:matt at openssl.org>>>> 于2018年9月12
>     >     > 日周三 下午4:48写道:
>     >     >
>     >     >
>     >     >
>     >     >     On 12/09/18 09:34, John Jiang wrote:
>     >     >     >
>     >     >     > It looks the session was resumed, but early data still was
>     >     rejected.
>     >     >
>     >     >     Hmm. Strange. I just tried the exact same sequence of
>     commands
>     >     and it
>     >     >     was accepted.
>     >     >
>     >     >     One thing to try is to recompile OpenSSL with the
>     >     "enable-ssl-trace"
>     >     >     config option. Then you can add the "-trace" option to
>     >     s_client and/or
>     >     >     s_server which might give a better clue as to why it is
>     rejected.
>     >     >
>     >     >     Matt
>     >     >
>     >     >     --
>     >     >     openssl-users mailing list
>     >     >     To unsubscribe:
>     >     https://mta.openssl.org/mailman/listinfo/openssl-users
>     >     >
>     >     >
>     >     >
>     >     --
>     >     openssl-users mailing list
>     >     To unsubscribe:
>     https://mta.openssl.org/mailman/listinfo/openssl-users
>     >
>     >
>     >
>     -- 
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 
> 
>

More information about the openssl-users mailing list