Two sessions in a single full handshake

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Two sessions in a single full handshake

John Jiang
Using OpenSSL 1.1.1.
The debug logs display two "SSL-Session" blocks in a full handshake.
Only one "SSL-Session" block is displayed in a resumption.
Why does full handshake has two sessions?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Two sessions in a single full handshake

OpenSSL - User mailing list
  • The debug logs display two "SSL-Session" blocks in a full handshake.

Only one "SSL-Session" block is displayed in a resumption.

Why does full handshake has two sessions?

 

This is part of the TLS 1.3 standard.  A server can send back multiple sessions, so that a client may resume with a different session, and therefore prevent an observer from “linking” two different activities.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Two sessions in a single full handshake

John Jiang
Does s_client resume any session in the local session file?

On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users <[hidden email]> wrote:
  • The debug logs display two "SSL-Session" blocks in a full handshake.

Only one "SSL-Session" block is displayed in a resumption.

Why does full handshake has two sessions?

 

This is part of the TLS 1.3 standard.  A server can send back multiple sessions, so that a client may resume with a different session, and therefore prevent an observer from “linking” two different activities.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Two sessions in a single full handshake

OpenSSL - User mailing list
s_client has -sess_out and -sess_in options that can be used
to save session information to a file and read it in for a subsequent
connection.  Neither is used by default.

-Ben

On Sun, Sep 30, 2018 at 11:06:14AM +0800, John Jiang wrote:

> Does s_client resume any session in the local session file?
>
> On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users <
> [hidden email]> wrote:
>
> >
> >    - The debug logs display two "SSL-Session" blocks in a full handshake.
> >
> > Only one "SSL-Session" block is displayed in a resumption.
> >
> > Why does full handshake has two sessions?
> >
> >
> >
> > This is part of the TLS 1.3 standard.  A server can send back multiple
> > sessions, so that a client may resume with a different session, and
> > therefore prevent an observer from “linking” two different activities.
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >

> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Two sessions in a single full handshake

John Jiang
Now that full handshake sends two sessions, does that mean option -sess_out saves both of the sessions to a local file?
If so, when resume session via option -sess_in, which session will be resumed?

On Sun, Sep 30, 2018 at 11:47 AM Benjamin Kaduk via openssl-users <[hidden email]> wrote:
s_client has -sess_out and -sess_in options that can be used
to save session information to a file and read it in for a subsequent
connection.  Neither is used by default.

-Ben

On Sun, Sep 30, 2018 at 11:06:14AM +0800, John Jiang wrote:
> Does s_client resume any session in the local session file?
>
> On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users <
> [hidden email]> wrote:
>
> >
> >    - The debug logs display two "SSL-Session" blocks in a full handshake.
> >
> > Only one "SSL-Session" block is displayed in a resumption.
> >
> > Why does full handshake has two sessions?
> >
> >
> >
> > This is part of the TLS 1.3 standard.  A server can send back multiple
> > sessions, so that a client may resume with a different session, and
> > therefore prevent an observer from “linking” two different activities.
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >

> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Two sessions in a single full handshake

Richard
B I 

On Sat, Sep 29, 2018 at 10:06 PM John Jiang <[hidden email]> wrote:
Now that full handshake sends two sessions, does that mean option -sess_out saves both of the sessions to a local file?
If so, when resume session via option -sess_in, which session will be resumed?

On Sun, Sep 30, 2018 at 11:47 AM Benjamin Kaduk via openssl-users <[hidden email]> wrote:
s_client has -sess_out and -sess_in options that can be used
to save session information to a file and read it in for a subsequent
connection.  Neither is used by default.

-Ben

On Sun, Sep 30, 2018 at 11:06:14AM +0800, John Jiang wrote:
> Does s_client resume any session in the local session file?
>
> On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users <
> [hidden email]> wrote:
>
> >
> >    - The debug logs display two "SSL-Session" blocks in a full handshake.
> >
> > Only one "SSL-Session" block is displayed in a resumption.
> >
> > Why does full handshake has two sessions?
> >
> >
> >
> > This is part of the TLS 1.3 standard.  A server can send back multiple
> > sessions, so that a client may resume with a different session, and
> > therefore prevent an observer from “linking” two different activities.
> > --
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> >

> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Two sessions in a single full handshake

Matt Caswell-2
In reply to this post by John Jiang


On 30/09/18 06:05, John Jiang wrote:
> Now that full handshake sends two sessions, does that mean option
> -sess_out saves both of the sessions to a local file?

The last session received is the one in the sess_out file.

Matt


> If so, when resume session via option -sess_in, which session will be
> resumed?
>
> On Sun, Sep 30, 2018 at 11:47 AM Benjamin Kaduk via openssl-users
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     s_client has -sess_out and -sess_in options that can be used
>     to save session information to a file and read it in for a subsequent
>     connection.  Neither is used by default.
>
>     -Ben
>
>     On Sun, Sep 30, 2018 at 11:06:14AM +0800, John Jiang wrote:
>     > Does s_client resume any session in the local session file?
>     >
>     > On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users <
>     > [hidden email] <mailto:[hidden email]>> wrote:
>     >
>     > >
>     > >    - The debug logs display two "SSL-Session" blocks in a full
>     handshake.
>     > >
>     > > Only one "SSL-Session" block is displayed in a resumption.
>     > >
>     > > Why does full handshake has two sessions?
>     > >
>     > >
>     > >
>     > > This is part of the TLS 1.3 standard.  A server can send back
>     multiple
>     > > sessions, so that a client may resume with a different session, and
>     > > therefore prevent an observer from “linking” two different
>     activities.
>     > > --
>     > > openssl-users mailing list
>     > > To unsubscribe:
>     https://mta.openssl.org/mailman/listinfo/openssl-users
>     > >
>
>     > --
>     > openssl-users mailing list
>     > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>     --
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users