I tracked down my problem, its due to a change in the relative order of handshake completion (as detected by the info callback, anyhow), and the callback to SSL_CTX_set_tlsext_ticket_key_cb(). With TLS1.2, I can rotate ticket keys on the server when the handshake completes, and they will only apply to the next connection. With TLS1.3, the tickets haven't been sent yet, at the time the handshake completes, so when I "rotate" the keys, the new keys are used immediately afterwards in the ticket_key_cb to encrypt the tickets for the connection that just handshaked. Its semi-obvious in retrospect, after having read our ticket key handling code, but it took me a while to find it. And it turns out that yes, SSL_session_resumed() does work with TLS tickets. Thanks for the suggestions, Viktor. Cheers, Sam -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
