Closed
Description
I did this
I have tested SSL/TLS session reuse with TLS 1.3 and "openssl s_server".
With TLS 1.3, curl creates two SSL sessions:
./curl -k -v https://localhost:4433/ https://localhost:4433/
Output:
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
With TLS 1.2, curl reuses the SSL session (as expected):
./curl -k -v --tls-max 1.2 https://localhost:4433/ https://localhost:4433/
Output:
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
...
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
I expected the following
SSL/TLS session reuse works with TLS 1.3
curl/libcurl version
curl 7.62.0-DEV (x86_64-pc-linux-gnu) libcurl/7.62.0-DEV OpenSSL/1.1.1 zlib/1.2.11 nghttp2/1.32.1
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy
operating system
Linux
Hints
OpenSSL Wiki: TLS 1.3 - Sessions
curl should use the SSL_CTX_sess_set_new_cb function to set a "new session" callback.
Probably other SSL backends are also affected.