[openssl-users] Why openssl is printing session ID where there is none sent by server, when using session ticket?
M K Saravanan
mksarav at gmail.com
Wed Jan 16 02:48:53 UTC 2019
On Tue, 15 Jan 2019 at 20:02, Matt Caswell <matt at openssl.org> wrote:
> This is perhaps best explained by this comment in the client side code for
> processing a new ticket from the server:
> * There are two ways to detect a resumed ticket session. One is to set
> * an appropriate session ID and then the server must return a match in
> * ServerHello. This allows the normal client session ID matching to work
> * and we know much earlier that the ticket has been accepted. The
> * other way is to set zero length session ID when the ticket is
> * presented and rely on the handshake to determine session resumption.
> * We choose the former approach because this fits in with assumptions
> * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
> * SHA256 is disabled) hash of the ticket.
Beautiful! Thank you so much for the clarification.
More information about the openssl-users