On Wed, Jul 29, 2020 at 02:57:33PM -0700, Jeremy Evans wrote: > After an OpenBSD upgrade, one of Ruby's tests for SSL session > reuse started to fail. After some debugging, I have found that > if a maximum SSL version is not set by a client, then session > reuse does not work. Setting a minimum version does not have > an effect.
This is an expected side-effect of switching TLS_method() to default to TLSv1.3 https://github.com/openbsd/src/commit/94149d15d762bdbf7eef74c417c53d2b8dc7dd12 By setting the max version to TLSv1 with :TLS1 (or any of the other defined versions :TLS1_1 or :TLS1_2), you use the legacy stack which supports session resumption. The minimum version is already TLSv1, so setting the minimum version to :TLSv1 has no effect. In TLSv1.3, the session resumption feature has been merged with pre-shared keys, which we may eventually support, but that's not going to happen very soon: https://tools.ietf.org/html/rfc8446#page-15
