On 02/07/2021 10:09, Nan Xiao wrote:
Hi OpenSSL users,
Greetings from me! From this article
(https://www.qacafe.com/resources/examples-of-tls-1-3/) and pcap file
(https://www.cloudshark.org/captures/64d433b1585a), I know we can use
s_server and s_client to simulate "TLS 1.3 Session Resumption". I
tried following command:
echo | openssl s_client -tls1_3 -connect tls13.cloudflare.com:443 -reconnect
That looks like you've stumbled across an s_client bug. This should
work, but it doesn't appear to. I just raised an issue for it:
https://github.com/openssl/openssl/issues/15979
But it seems not to work since there is no "pre_shared_key" extension,
and every time s_client just initiated a new connection instead of
resumption.
Could anybody advise how to simulate "TLS 1.3 Session Resumption"
through OpenSSL tools? Thanks very much in advance!
You can do this another way. Create an initial connection (add
"-connect" option as appropriate):
openssl s_client -tls1_3 -sess_out sess.pem
And then resume like this:
openssl s_client -tls1_3 -sess_in sess.pem
However, note that with TLSv1.3 the session data doesn't arrive until
post-handshake. In the case of the cloudflare server it doesn't send any
session tickets until it has received some application data from the
client. So in order to get a valid resumable session you will have to
type some HTTP command into s_client once it has created its initial
connection. This should cause the cloudflare server to respond with a
session ticket, which will get saved to the sess.pem file. You can then
use that in the subsequent resumption attempt.
Matt
