>> Thanks, it does not happen with mozzilla implementation > (tls13.crypto.mozilla.org), is this openssl specific or part of the > specification? > > The specification allows a server to send one or more tickets, at its discretion. OK thanks, I could find the relevant PR and rationale after more googling. One caveat though, the info_callback()s can now be called multiple times with SSL_CB_HANDSHAKE_START/DONE (for each ticket), same possibly for others callbacks (if any) where the state could be tracked. The s_client output from the original message is misleading in this regard. For instance in Apache httpd info_callback() is used to check for and forbid client initiated renegotiations, not a big deal since they shouldn't exist anymore with TLS 1.3 (so this check has been disabled since it's enforced by openssl in the first place), but I wonder if announcing the start then end of the same handshake multiple times could/should be avoided (i.e. handshake ends after last ticket only)? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
