[openssl-users] Why openssl is printing session ID where there is none sent by server, when using session ticket?

M K Saravanan mksarav at gmail.com
Wed Jan 16 02:48:53 UTC 2019

Hi Matt,

On Tue, 15 Jan 2019 at 20:02, Matt Caswell <matt at openssl.org> wrote:
> This is perhaps best explained by this comment in the client side code for
> processing a new ticket from the server:
>     /*
>      * There are two ways to detect a resumed ticket session. One is to set
>      * an appropriate session ID and then the server must return a match in
>      * ServerHello. This allows the normal client session ID matching to work
>      * and we know much earlier that the ticket has been accepted. The
>      * other way is to set zero length session ID when the ticket is
>      * presented and rely on the handshake to determine session resumption.
>      * We choose the former approach because this fits in with assumptions
>      * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
>      * SHA256 is disabled) hash of the ticket.
>      */

Beautiful!  Thank you so much for the clarification.

with regards,

More information about the openssl-users mailing list