Re: Session Ticket Support in Openssl TLS 1.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, Jun 14, 2017 at 3:43 AM, Matt Caswell <matt@xxxxxxxxxxx> wrote:


On 14/06/17 01:38, Salz, Rich via openssl-users wrote:
> It’s disabled by default.  Servers that want to use server-side session
> caching have to call an API to turn it on

Err, no, that's not correct. Server side caching is on by default.
Client side caching is off by default.


I am quoting a line from Network Security with OpenSSL book (O'Reilly Media)

"All sessions must have a session ID context. For the server, session caching is disabled by default unless a call to SSL_CTX_set_session_id_context is made."

That's why I thought server side session caching is disabled by default.
 


On 14/06/17 02:03, Neetish Pathak wrote:
> Thanks for your reply Salz. However, I want to know should the session
> caching be enabled on server side for TLS 1.3 for session resumption.

It should just work by default for TLSv1.3. You don't need to enable
anything.
 
Yea it worked for previous TLS versions, so everything was inline. But since with TLS 1.3, I was not observing the same behavior, that's why my question was for TLS 1.3. 

> Also, I need a clarification on how does resumption work in case of
> session identifiers if server side caching is not enabled

As noted above server side caching is on by default.


 

On 14/06/17 02:33, Neetish Pathak wrote:
> I need some suggestions on how I can implement session resumption in TLS
> 1.3. I have implemented the resumption on the client side using a
> callback as recommended on the TLS 1.3
> blog https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/
> <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/> . Still, the
> session resumption is not working. I know this because my new_session_cb
> which I have set using SSL_CTX_sess_set_new_cb is never getting invoked
> and also I don't see any improvement in connection time.
>
> The same implementation when I change the max TLS version to TLS1.2
> works and session resumption works as desired.
> I am not sure how I can resolve this.
>
> As mentioned on the blog post
>
> "In TLSv1.3 sessions are not established until after the main handshake
> has completed. The server sends a separate post-handshake message to the
> client containing the session details. Typically this will happen soon
> after the handshake has completed, but it could be sometime later (or
> not at all)."
>
> I think the server is not informing the session details to client at all
> in my case and hence the resumption is not working. Can someone please
> suggest how to resolve this

Just to be clear: you are using OpenSSL on both the server and client
sides right? If you are using something other than OpenSSL on the server
then the policy might be different around when the session information
is sent to the client (i.e. it could happen sometime later, or not at
all). If you are using OpenSSL on the server then it sends its session
information immediately after the main handshake has completed, so that
should not be a problem.

So if I understand you correctly the client is successfully creating a
TLSv1.3 connection, but the client side new session callback is never
being invoked? Did you call SSL_CTX_sess_set_new_cb() before or after
the SSL object itself was created? Are you able to share any code for
how you have done this?



Yes, I am using OpenSSl on both the server and client sides and my implementation works for TLS 1.2.  
Yea you understood correctly, the client is creating a connection but new session callback is not getting invoked.
I have called SSL_CTX_sess_set_new_cb before SSL object is created



Yea, sure following is a snippet from my client side implementation. I have highlighted the relevant section for new session callback registration



static int new_session_cb(SSL* ssl, SSL_SESSION * sess){



BIO *stmp = BIO_new_file(SESS_OUT,"w");


if(stmp == NULL){

BIO_printf(bio_err,"Error writing session file %s\n",SESS_OUT);

}else{

fprintf(stderr,"Session getting set\n");

PEM_write_bio_SSL_SESSION(stmp,sess);

BIO_free(stmp);

resumeInput = TRUE;

}


return 0;

}


int SocketClient::connectToServer(){


/*Initialization

** (1)Register SSL/TLS ciphers and digests

** (2)Load Opessl error Strings*/

init_OpenSSL();


/*Creating a new SSL context object*/

ssl_ctx = SSL_CTX_new(TLS_client_method());

SSL_CTX_set_max_proto_version(ssl_ctx, MAX_TLS_VERSION);

SSL_CTX_set_min_proto_version(ssl_ctx, MIN_TLS_VERSION);


if(NULL == ssl_ctx){

fail("SocketClient.cpp : ssl_ctx object creation failed"); perror("");

}else{

pass("SocketClient.cpp : ssl Context created successfully");

}



if(ssl_ctx){

SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_CLIENT

| SSL_SESS_CACHE_NO_INTERNAL_STORE);

SSL_CTX_sess_set_new_cb(ssl_ctx, new_session_cb);

}

return 0;

}


int SocketClient::sslTcpConnect(){


/*Attaching the SSL connection to the Socket*/

if((this->conn = SSL_new(ssl_ctx)) == NULL){

perror("SocketClient.cpp : create new SSL failed ");

exit(1);

}


/*Try to resume session*/

#if SESS_RESUME


if(resumeInput){

SSL_SESSION *sess;

BIO *stmp = BIO_new_file(SESS_OUT, "r");

if (!stmp) {

BIO_printf(bio_err, "Can't open session file %s\n", SESS_OUT);

ERR_print_errors(bio_err);

}

sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);

BIO_free(stmp);

if (!sess) {

BIO_printf(bio_err, "Can't open session file %s\n", SESS_OUT);

ERR_print_errors(bio_err);

}

if (!SSL_set_session(this->conn, sess)) {

BIO_printf(bio_err, "Can't set session\n");

ERR_print_errors(bio_err);

}

SSL_SESSION_free(sess);

/*if(FALSE == TLSv1_3){

if(this->sessionId != NULL){

SSL_set_session(this->conn, this->sessionId);

SSL_SESSION_free(this->sessionId);

}

}*/

}


/*Another way of resumption*/

/*

if(this->sessionId != NULL){

SSL_set_session(this->conn, this->sessionId);

SSL_SESSION_free(this->sessionId);

}

*/

#endif


/****Establish TCP connection****/

/*Setting up BIO*/

bio = BIO_new_connect((this->serverName + ":" + this->portNumber).c_str());

if(!bio)

int_error("Error creating connection BIO");


if(BIO_do_connect(bio) <= 0){

fail("SocketClient.cpp : TCP connection failed");

}else{

pass("SocketClient.cpp : TCP connection successful");

}


/*set the file descriptor socket-fd as the input/output facility for the TLS/SSL*/

SSL_set_bio(conn, bio, bio);


/*Perform the SSL handshake*/

if(SSL_connect(conn) != 1){

fail("SocketClient.cpp : SSL connect failed"); perror("");

ERR_print_errors_fp(stderr);

SSL_clear(conn);

exit(1);

}else{

this->isConnected = true;

pass("SocketClient.cpp : SSL_connect successful");

}

return 0;

}


int SocketClient::sslTcpClosure(){

if (this->conn){

SSL_shutdown(this->conn);

}

if(this->bio)

BIO_free(this->bio);

return 0;

}




My calling sequence is :

client.connectToServer();

client.sslTcpConnect();

client.sslTcpClosure();




Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Thanks
BR,
Neetish 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux