API to send NewSessionTicket on demand #10069
Assignees
Labels
triaged: feature
The issue/pr requests/adds a feature
Comments
|
This seems like a reasonable request, and something that I always expected we would do anyway. |
mattcaswell
added
help wanted
triaged: feature
|
Belatedly closing, since #11416 was merged |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
TLS 1.3 allows for the NewSessionTicket message to be sent at any time after the handshake.
OpenSSL offers an SSL_SESSION_set1_ticket_appdata() API to let the application include data in that session ticket, and the normal course of execution of a program might cause the application to wish to update the data included in the session ticket used by the client. In order to do so, the application would need a way to cause libssl to generate a NewSessionTicket message on demand; libssl currently only emits (SSL_set_num_tickets()) tickets immediately after a handshake completes, and never after that. An SSL_write_ticket() API was proposed in #7948 as one of many potential routes towards solving that problem, but it may have utility in other scenarios as well.
This issue is for discussion of whether we would want to support this general class of functionality, and if so, what the appropriate API contract would be. I haven't started to write any code since this would necessarily interact with the handshake state machine, which always requires some delicateness. Probably we would need to generalize the mechanism we use to re-enter handshake mode for update-requested KeyUpdate scenarios in order to handle the requesut to send NewSessionTicket as well, but that's just from memory and not based on any experimentation.
The text was updated successfully, but these errors were encountered: