Query related to session resumption in TLS1.3
shalu dhamija
dhamija_shalu at yahoo.com
Thu May 16 16:22:13 UTC 2019
Hi All,
I am in process of using TLS1.3 using openssl 1.1.1b version in my client application. In order to use session resumption, I have implemented an external cache when acting as the client. The key to the cache is combination of host and port and the value associated is SSL_SESSION*. Before calling ssl_connect, I am checking if the entry corresponding to the key exists in the map. If it exists, I am calling SSL_set_session. After ssl_connect, I am checking if the session is reused or not using SSL_Session_Reused. If its not reused, I am inserting the new session obtained as a result of call to SSL_get1_session() in the map.
Pseudo code is as follows:
std::map<std::string, SSL_SESSION*> sessionCache;/* Generate an SSL client context. */SSL_CTX* ctx = SSL_CTX_new(TLS_method());SSL* ssl = SSL_new(ctx); //Check if we have a stored session it = sessionCache.find (key);if (it != sessionCache.end()) { SSL_set_session (ssl, it->second)}
SSL_connect(ssl);int reUsed = SSL_session_reused(ssl);if (!reUsed) { session = SSL_get1_session(ssl); sessionCache.insert (key, session);}
The above flow works well using TLS1.2. I can see that SSL_session_reused returns true in the second connection.
But the same flow does not work for TLS1.3. In TLSv1.3, sessions are established after the main handshake has completed. So, I have implemented the callback SSL_CTX_sess_set_new_cb. And in the callback, I am storing the session into the cache. In subsequent connections, the session is present in the map, SSL_set_session API returns true. But SSL_session_reused is always returning false.
I have the following queries:1. Is the above mentioned approach applicable for TLS 1.3? 2. There is a mention that PreShared keys are used for session resumption in TLS1.3. Can someone please clarify, how should I make my client send psk using openssl for subsequent connection?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190516/5631d211/attachment.html>
More information about the openssl-users
mailing list