On Wed, Jun 14, 2017 at 3:43 AM, Matt Caswell <m...@openssl.org> wrote:
> > > On 14/06/17 01:38, Salz, Rich via openssl-users wrote: > > It’s disabled by default. Servers that want to use server-side session > > caching have to call an API to turn it on > > Err, no, that's not correct. Server side caching is on by default. > Client side caching is off by default. > I am quoting a line from Network Security with OpenSSL book (O'Reilly Media) "All sessions must have a session ID context. For the server, session caching is disabled by default unless a call to SSL_CTX_set_session_id_context is made." That's why I thought server side session caching is disabled by default. > > > On 14/06/17 02:03, Neetish Pathak wrote: > > Thanks for your reply Salz. However, I want to know should the session > > caching be enabled on server side for TLS 1.3 for session resumption. > > It should just work by default for TLSv1.3. You don't need to enable > anything. > Yea it worked for previous TLS versions, so everything was inline. But since with TLS 1.3, I was not observing the same behavior, that's why my question was for TLS 1.3. > > > Also, I need a clarification on how does resumption work in case of > > session identifiers if server side caching is not enabled > > As noted above server side caching is on by default. > > > On 14/06/17 02:33, Neetish Pathak wrote: > > I need some suggestions on how I can implement session resumption in TLS > > 1.3. I have implemented the resumption on the client side using a > > callback as recommended on the TLS 1.3 > > blog https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ > > <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/> . Still, the > > session resumption is not working. I know this because my new_session_cb > > which I have set using SSL_CTX_sess_set_new_cb is never getting invoked > > and also I don't see any improvement in connection time. > > > > The same implementation when I change the max TLS version to TLS1.2 > > works and session resumption works as desired. > > I am not sure how I can resolve this. > > > > As mentioned on the blog post > > > > "In TLSv1.3 sessions are not established until after the main handshake > > has completed. The server sends a separate post-handshake message to the > > client containing the session details. Typically this will happen soon > > after the handshake has completed, but it could be sometime later (or > > not at all)." > > > > I think the server is not informing the session details to client at all > > in my case and hence the resumption is not working. Can someone please > > suggest how to resolve this > > Just to be clear: you are using OpenSSL on both the server and client > sides right? If you are using something other than OpenSSL on the server > then the policy might be different around when the session information > is sent to the client (i.e. it could happen sometime later, or not at > all). If you are using OpenSSL on the server then it sends its session > information immediately after the main handshake has completed, so that > should not be a problem. > > So if I understand you correctly the client is successfully creating a > TLSv1.3 connection, but the client side new session callback is never > being invoked? Did you call SSL_CTX_sess_set_new_cb() before or after > the SSL object itself was created? Are you able to share any code for > how you have done this? > Yes, I am using OpenSSl on both the server and client sides and my implementation works for TLS 1.2. Yea you understood correctly, the client is creating a connection but new session callback is not getting invoked. I have called SSL_CTX_sess_set_new_cb before SSL object is created Yea, sure following is a snippet from my client side implementation. I have highlighted the relevant section for new session callback registration *static* *int* *new_session_cb*(SSL* ssl, SSL_SESSION * sess){ BIO *stmp = BIO_new_file(SESS_OUT,"w"); *if*(stmp == NULL){ BIO_printf(bio_err,"Error writing session file %s\n",SESS_OUT); }*else*{ fprintf(stderr,"Session getting set\n"); PEM_write_bio_SSL_SESSION(stmp,sess); BIO_free(stmp); resumeInput = TRUE; } *return* 0; } *int* *SocketClient::connectToServer*(){ /*Initialization ** (1)Register SSL/TLS ciphers and digests ** (2)Load Opessl error Strings*/ init_OpenSSL(); /*Creating a new SSL context object*/ ssl_ctx = SSL_CTX_new(TLS_client_method()); SSL_CTX_set_max_proto_version(ssl_ctx, MAX_TLS_VERSION); SSL_CTX_set_min_proto_version(ssl_ctx, MIN_TLS_VERSION); *if*(NULL == ssl_ctx){ fail("SocketClient.cpp : ssl_ctx object creation failed"); perror(""); }*else*{ pass("SocketClient.cpp : ssl Context created successfully"); } *if(ssl_ctx){* * SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_CLIENT* * | SSL_SESS_CACHE_NO_INTERNAL_STORE);* * SSL_CTX_sess_set_new_cb(ssl_ctx, new_session_cb);* * }* *return* 0; } int *SocketClient::sslTcpConnect*(){ /*Attaching the SSL connection to the Socket*/ *if*((*this*->conn = SSL_new(ssl_ctx)) == NULL){ perror("SocketClient.cpp : create new SSL failed "); exit(1); } /*Try to resume session*/ *#if* SESS_RESUME *if*(resumeInput){ SSL_SESSION *sess; BIO *stmp = BIO_new_file(SESS_OUT, "r"); *if* (!stmp) { BIO_printf(bio_err, "Can't open session file %s\n", SESS_OUT); ERR_print_errors(bio_err); } sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); BIO_free(stmp); *if* (!sess) { BIO_printf(bio_err, "Can't open session file %s\n", SESS_OUT); ERR_print_errors(bio_err); } *if* (!SSL_set_session(*this*->conn, sess)) { BIO_printf(bio_err, "Can't set session\n"); ERR_print_errors(bio_err); } SSL_SESSION_free(sess); /*if(FALSE == TLSv1_3){ if(this->sessionId != NULL){ SSL_set_session(this->conn, this->sessionId); SSL_SESSION_free(this->sessionId); } }*/ } /*Another way of resumption*/ /* if(this->sessionId != NULL){ SSL_set_session(this->conn, this->sessionId); SSL_SESSION_free(this->sessionId); } */ *#endif* /****Establish TCP connection****/ /*Setting up BIO*/ bio = BIO_new_connect((*this*->serverName + ":" + *this*->portNumber ).c_str()); *if*(!bio) int_error("Error creating connection BIO"); *if*(BIO_do_connect(bio) <= 0){ fail("SocketClient.cpp : TCP connection failed"); }*else*{ pass("SocketClient.cpp : TCP connection successful"); } /*set the file descriptor socket-fd as the input/output facility for the TLS/SSL*/ SSL_set_bio(conn, bio, bio); /*Perform the SSL handshake*/ *if*(SSL_connect(conn) != 1){ fail("SocketClient.cpp : SSL connect failed"); perror(""); ERR_print_errors_fp(stderr); SSL_clear(conn); exit(1); }*else*{ *this*->isConnected = *true*; pass("SocketClient.cpp : SSL_connect successful"); } *return* 0; } *int* *SocketClient::sslTcpClosure*(){ *if* (*this*->conn){ SSL_shutdown(*this*->conn); } *if*(*this*->bio) BIO_free(*this*->bio); *return* 0; } My calling sequence is : client.connectToServer(); client.sslTcpConnect(); client.sslTcpClosure(); > Matt > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > Thanks BR, Neetish
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
