Will TLSv1.3 always send session ticket?
Matt Caswell
matt at openssl.org
Thu Sep 16 07:56:28 UTC 2021
On 16/09/2021 07:19, Jaya Muthiah wrote:
> As I can read from the documents mentioned below, "or not at all"
> worries me. Is there a situation when a session ticket is not sent at
> all (other than when reused)?
TLSv1.3 does not require the server to send any tickets if it decides
not to. By default in OpenSSL a server will send 2 session tickets after
a normal handshake, or 1 session ticket after a resumption handshake.
There is nothing in the spec about that, so other libraries are very
likely to have different policies and defaults.
In OpenSSL it is possible to configure the a server to set the number of
tickets that are sent - including down to 0.
So, yes, there may be situations where the server does not send a
session ticket.
Matt
More information about the openssl-users
mailing list