On 12/09/18 14:04, John Jiang wrote: > I got the points! > 1. should not use -www option on server side Right - we should probably error out if you attempt to use those two options in combination. > 2. Possibly, no session ticket was saved in the first connection with > the below command, > echo "M" | openssl s_client -trace -state -CAfile ca.cer -tls1_3 > -sess_out openssl.sess -connect localhost:9443 > The client exited so quickly that didn't receive sever's session ticket. Ahh! Makes sense! Matt > > On Wed, Sep 12, 2018 at 8:16 PM Matt Caswell <matt@xxxxxxxxxxx > <mailto:matt@xxxxxxxxxxx>> wrote: > > Were you using the -www option to s_server before? You didn't mention it > in your original email, but in this log it shows you using it. > > Try without that option. > > Matt > > > On 12/09/18 12:25, John Jiang wrote: > > Very strange. I re-tried the same case, but the resumption failed. > > The attached logs contain the full outputs in the both connections on > > server and client sides. > > > > On Wed, Sep 12, 2018 at 7:09 PM Matt Caswell <matt@xxxxxxxxxxx > <mailto:matt@xxxxxxxxxxx> > > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>> wrote: > > > > Nothing particularly unexpected in there. Could you send me > the s_server > > log including *both* connections, i.e. the original connection > attempt > > to create the session, followed by the subsequent resume. > > > > Thanks > > > > Matt > > > > > > On 12/09/18 11:50, John Jiang wrote: > > > Could you please take a look at the attached s_client.log? > > > It was outputted by s_client with options -trace and -state > in the > > > second connection. > > > > > > Matt Caswell <matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx> > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>> > > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx> > <mailto:matt@xxxxxxxxxxx <mailto:matt@xxxxxxxxxxx>>>> 于2018年9月12 > > > 日周三 下午4:48写道: > > > > > > > > > > > > On 12/09/18 09:34, John Jiang wrote: > > > > > > > > It looks the session was resumed, but early data still was > > rejected. > > > > > > Hmm. Strange. I just tried the exact same sequence of > commands > > and it > > > was accepted. > > > > > > One thing to try is to recompile OpenSSL with the > > "enable-ssl-trace" > > > config option. Then you can add the "-trace" option to > > s_client and/or > > > s_server which might give a better clue as to why it is > rejected. > > > > > > Matt > > > > > > -- > > > openssl-users mailing list > > > To unsubscribe: > > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > > > > > > -- > > openssl-users mailing list > > To unsubscribe: > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
