On 20/06/18 22:31, Yann Ylavic wrote: >>> Thanks, it does not happen with mozzilla implementation >> (tls13.crypto.mozilla.org), is this openssl specific or part of the >> specification? >> >> The specification allows a server to send one or more tickets, at its discretion. > > OK thanks, I could find the relevant PR and rationale after more googling. > > One caveat though, the info_callback()s can now be called multiple > times with SSL_CB_HANDSHAKE_START/DONE (for each ticket), same > possibly for others callbacks (if any) where the state could be > tracked. The s_client output from the original message is misleading > in this regard. > > For instance in Apache httpd info_callback() is used to check for and > forbid client initiated renegotiations, not a big deal since they > shouldn't exist anymore with TLS 1.3 (so this check has been disabled > since it's enforced by openssl in the first place), but I wonder if > announcing the start then end of the same handshake multiple times > could/should be avoided (i.e. handshake ends after last ticket only)? They really are individual transactions, so it makes much more sense to me to signal each one as a separate handshake. On the client side we have little choice because we don't know how many tickets the server will send. It seems odd to do it differently on the server. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
