Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
TLS 1.3 session reuse (resumption) does not work (OpenSSL) #3202
I did this
I have tested SSL/TLS session reuse with TLS 1.3 and "openssl s_server".
With TLS 1.3, curl creates two SSL sessions:
With TLS 1.2, curl reuses the SSL session (as expected):
I expected the following
SSL/TLS session reuse works with TLS 1.3
OpenSSL Wiki: TLS 1.3 - Sessions
curl should use the SSL_CTX_sess_set_new_cb function to set a "new session" callback.
Probably other SSL backends are also affected.
Session resumption information is not available immediately after a TLS 1.3 handshake. The client must wait until the server has sent a session ticket. Use OpenSSL's "new session" callback to get the session information and put it into curl's session cache. For TLS 1.3 sessions, this callback will be invoked after the server has sent a session ticket. The "new session" callback is invoked only if OpenSSL's session cache is enabled, so enable it and use the "external storage" mode which lets curl manage the contents of the session cache. A pointer to the connection data and the sockindex are now saved as "SSL extra data" to make them available to the callback. This approach also works for old SSL/TLS versions and old OpenSSL versions. Fixes curl#3202
TLS 1.3 uses a new session resume mechanism, it's similar to the (old) session tickets, but it's not the same.