Skip to content

TLS 1.3 session reuse (resumption) does not work (OpenSSL) #3202

Closed
@mkauf

Description

@mkauf

I did this

I have tested SSL/TLS session reuse with TLS 1.3 and "openssl s_server".

With TLS 1.3, curl creates two SSL sessions:

./curl -k -v https://localhost:4433/ https://localhost:4433/

Output:

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

With TLS 1.2, curl reuses the SSL session (as expected):

./curl -k -v --tls-max 1.2 https://localhost:4433/ https://localhost:4433/

Output:

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
...
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

I expected the following

SSL/TLS session reuse works with TLS 1.3

curl/libcurl version

curl 7.62.0-DEV (x86_64-pc-linux-gnu) libcurl/7.62.0-DEV OpenSSL/1.1.1 zlib/1.2.11 nghttp2/1.32.1
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy 

operating system

Linux

Hints

OpenSSL Wiki: TLS 1.3 - Sessions

curl should use the SSL_CTX_sess_set_new_cb function to set a "new session" callback.

Probably other SSL backends are also affected.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions