How to simulate "TLS 1.3 Session Resumption" through OpenSSL tools?

Nan Xiao xiaonan830818 at gmail.com
Sun Jul 4 11:01:25 UTC 2021


Hi Matt,

Got it! Thanks very much for your reply!

Best Regards
Nan Xiao

On Fri, Jul 2, 2021 at 5:46 PM Matt Caswell <matt at openssl.org> wrote:
>
>
>
> On 02/07/2021 10:09, Nan Xiao wrote:
> > Hi OpenSSL users,
> >
> > Greetings from me! From this article
> > (https://www.qacafe.com/resources/examples-of-tls-1-3/) and pcap file
> > (https://www.cloudshark.org/captures/64d433b1585a), I know we can use
> > s_server and s_client to simulate "TLS 1.3 Session Resumption". I
> > tried following command:
> >
> > echo | openssl s_client -tls1_3  -connect tls13.cloudflare.com:443 -reconnect
> >
>
> That looks like you've stumbled across an s_client bug. This should
> work, but it doesn't appear to. I just raised an issue for it:
>
> https://github.com/openssl/openssl/issues/15979
>
>
>
> > But it seems not to work since there is no "pre_shared_key" extension,
> > and every time s_client just initiated a new connection instead of
> > resumption.
> >
> > Could anybody advise how to simulate "TLS 1.3 Session Resumption"
> > through OpenSSL tools? Thanks very much in advance!
>
> You can do this another way. Create an initial connection (add
> "-connect" option as appropriate):
>
> openssl s_client -tls1_3 -sess_out sess.pem
>
> And then resume like this:
>
> openssl s_client -tls1_3 -sess_in sess.pem
>
> However, note that with TLSv1.3 the session data doesn't arrive until
> post-handshake. In the case of the cloudflare server it doesn't send any
> session tickets until it has received some application data from the
> client. So in order to get a valid resumable session you will have to
> type some HTTP command into s_client once it has created its initial
> connection. This should cause the cloudflare server to respond with a
> session ticket, which will get saved to the sess.pem file. You can then
> use that in the subsequent resumption attempt.
>
> Matt
>


More information about the openssl-users mailing list