You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
The problem I think is that curl disables session ticket resumption, and only performs session ID resumption, which is not available in TLS 1.3 anymore. Support for session ticket resumption is also a requirement for TLS 1.3 0-RTT support.
mkauf
added a commit
to mkauf/curl
that referenced
this issue
Nov 14, 2018
Session resumption information is not available immediately after a TLS 1.3
handshake. The client must wait until the server has sent a session ticket.
Use OpenSSL's "new session" callback to get the session information and put it
into curl's session cache. For TLS 1.3 sessions, this callback will be invoked
after the server has sent a session ticket.
The "new session" callback is invoked only if OpenSSL's session cache is
enabled, so enable it and use the "external storage" mode which lets curl manage
the contents of the session cache.
A pointer to the connection data and the sockindex are now saved as "SSL extra
data" to make them available to the callback.
This approach also works for old SSL/TLS versions and old OpenSSL versions.
Fixescurl#3202
The problem I think is that curl disables session ticket resumption, and only performs session ID resumption, which is not available in TLS 1.3 anymore.
TLS 1.3 uses a new session resume mechanism, it's similar to the (old) session tickets, but it's not the same.
lockbot
locked as resolved and limited conversation to collaborators
Feb 19, 2019
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I did this
I have tested SSL/TLS session reuse with TLS 1.3 and "openssl s_server".
With TLS 1.3, curl creates two SSL sessions:
Output:
With TLS 1.2, curl reuses the SSL session (as expected):
Output:
I expected the following
SSL/TLS session reuse works with TLS 1.3
curl/libcurl version
operating system
Linux
Hints
OpenSSL Wiki: TLS 1.3 - Sessions
curl should use the SSL_CTX_sess_set_new_cb function to set a "new session" callback.
Probably other SSL backends are also affected.
The text was updated successfully, but these errors were encountered: