[openssl-users] how is it possible to confirm that a TLS ticket was used?

Tue Feb 5 00:57:53 UTC 2019

On Mon, Feb 04, 2019 at 03:54:48PM -0800, Sam Roberts wrote:

> And is it possible that this is different for TLS1.2 and 1.3?

The resumption API is the same.  However, because in TLS 1.3, session
tickets are sent *after* the completion of the handshake, it is
possible that the session handle you're saving is the one that does
not yet have any associated tickets, because they've not yet been
received.  Session ticket resumption is working with Postfix and
TLS 1.3.

    $ posttls-finger -c -Lsummary,cache,ssl-debug -r 4 smtp.dukhovni.org
    posttls-finger: looking for session [100.2.39.101]:25&4A46567FCBCF5C0617FE221FA66FD0CB8F240EB24DB6BD261D53255FC8C9BE94 in memory cache
    posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: SNI hostname: smtp.dukhovni.org
    posttls-finger: SSL_connect:before SSL initialization
    posttls-finger: SSL_connect:SSLv3/TLS write client hello
    posttls-finger: SSL_connect:SSLv3/TLS write client hello
    posttls-finger: SSL_connect:SSLv3/TLS read server hello
    posttls-finger: SSL_connect:TLSv1.3 read encrypted extensions
    posttls-finger: SSL_connect:SSLv3/TLS read server certificate
    posttls-finger: SSL_connect:TLSv1.3 read server certificate verify
    posttls-finger: SSL_connect:SSLv3/TLS read finished
    posttls-finger: SSL_connect:SSLv3/TLS write change cipher spec
    posttls-finger: SSL_connect:SSLv3/TLS write finished
    posttls-finger: Verified TLS connection established to smtp.dukhovni.org[100.2.39.101]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
    posttls-finger: SSL_connect:SSL negotiation finished successfully
    posttls-finger: SSL_connect:SSL negotiation finished successfully
    posttls-finger: save session [100.2.39.101]:25&4A46567FCBCF5C0617FE221FA66FD0CB8F240EB24DB6BD261D53255FC8C9BE94 to memory cache
    posttls-finger: SSL_connect:SSLv3/TLS read server session ticket
    posttls-finger: Reconnecting after 4 seconds
    posttls-finger: looking for session [100.2.39.101]:25&4A46567FCBCF5C0617FE221FA66FD0CB8F240EB24DB6BD261D53255FC8C9BE94 in memory cache
    posttls-finger: reloaded session [100.2.39.101]:25&4A46567FCBCF5C0617FE221FA66FD0CB8F240EB24DB6BD261D53255FC8C9BE94 from memory cache
    posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: SNI hostname: smtp.dukhovni.org
    posttls-finger: SSL_connect:before SSL initialization
    posttls-finger: SSL_connect:SSLv3/TLS write client hello
    posttls-finger: SSL_connect:SSLv3/TLS write client hello
    posttls-finger: SSL_connect:SSLv3/TLS read server hello
    posttls-finger: SSL_connect:TLSv1.3 read encrypted extensions
    posttls-finger: SSL_connect:SSLv3/TLS read finished
    posttls-finger: SSL_connect:SSLv3/TLS write change cipher spec
    posttls-finger: SSL_connect:SSLv3/TLS write finished
    posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: Reusing old session
    posttls-finger: Verified TLS connection established to smtp.dukhovni.org[100.2.39.101]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
    posttls-finger: Found a previously used server.  Done reconnecting.

-- 
	Viktor.