[openssl-users] how is it possible to confirm that a TLS ticket was used?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Feb 6 03:25:15 UTC 2019

On Tue, Feb 05, 2019 at 02:43:03PM -0800, Sam Roberts wrote:

> I tracked down my problem, its due to a change in the relative order
> of handshake completion (as detected by the info callback, anyhow),
> and the callback to SSL_CTX_set_tlsext_ticket_key_cb().
> With TLS1.2, I can rotate ticket keys on the server when the handshake
> completes, and they will only apply to the next connection.
> With TLS1.3, the tickets haven't been sent yet, at the time the
> handshake completes, so when I "rotate" the keys, the new keys are
> used immediately afterwards in the ticket_key_cb to encrypt the
> tickets for the connection that just handshaked.

Your ticket rotation approach looks a bit fragile.

Postfix keeps two session ticket keys in memory, one that's used
to both encrypt new tickets and decrypt freshly issued tickets, and
other that's used only decrypt unexpired tickets that were isssued
just before the new key was introduced. This maintains session
ticket continuity across a single key change. The key change interval
is either equal to or is twice the maximum ticket lifetime, ensuring
that tickets are only invalidated by expiration, not key rotation.


More information about the openssl-users mailing list