How to simulate "TLS 1.3 Session Resumption" through OpenSSL tools?
Matt Caswell
matt at openssl.org
Fri Jul 2 09:45:59 UTC 2021
On 02/07/2021 10:09, Nan Xiao wrote:
> Hi OpenSSL users,
>
> Greetings from me! From this article
> (https://www.qacafe.com/resources/examples-of-tls-1-3/) and pcap file
> (https://www.cloudshark.org/captures/64d433b1585a), I know we can use
> s_server and s_client to simulate "TLS 1.3 Session Resumption". I
> tried following command:
>
> echo | openssl s_client -tls1_3 -connect tls13.cloudflare.com:443 -reconnect
>
That looks like you've stumbled across an s_client bug. This should
work, but it doesn't appear to. I just raised an issue for it:
https://github.com/openssl/openssl/issues/15979
> But it seems not to work since there is no "pre_shared_key" extension,
> and every time s_client just initiated a new connection instead of
> resumption.
>
> Could anybody advise how to simulate "TLS 1.3 Session Resumption"
> through OpenSSL tools? Thanks very much in advance!
You can do this another way. Create an initial connection (add
"-connect" option as appropriate):
openssl s_client -tls1_3 -sess_out sess.pem
And then resume like this:
openssl s_client -tls1_3 -sess_in sess.pem
However, note that with TLSv1.3 the session data doesn't arrive until
post-handshake. In the case of the cloudflare server it doesn't send any
session tickets until it has received some application data from the
client. So in order to get a valid resumable session you will have to
type some HTTP command into s_client once it has created its initial
connection. This should cause the cloudflare server to respond with a
session ticket, which will get saved to the sess.pem file. You can then
use that in the subsequent resumption attempt.
Matt
More information about the openssl-users
mailing list