Why openssl is printing session ID where there is none sent by server, when using session ticket?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Why openssl is printing session ID where there is none sent by server, when using session ticket?

M K Saravanan
Hi,

When I use openssl s_client to connect to a server which uses session
ticket to resume a session (session ID is turned off), openssl is
still printing a session ID where none is sent by the server (packet
capture shows session ID length = zero in the Server Hello).

==========
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 8C7B3863F4B599A10BB83258D0FCE0530CC3C858DC0E2561199599C4806D7457
    Session-ID-ctx:
    Master-Key:
226360F20D74DB3F5FED014C20AD897CF75C21D14FA358BE934BD50FAF4F1696CB9A05A45F6FACDD46D912CDAE060D0F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - c9 c2 1a de f4 8f 59 1f-2a e1 58 b3 71 9f 9a 5f   ......Y.*.X.q.._
    0010 - 2f eb 0f a6 4c 0a e4 11-d9 db 52 7f 12 f6 0e a6   /...L.....R.....
    0020 - ec 2a c2 9b 3c d3 f5 b0-4e 93 b0 eb 44 12 3d 2b   .*..<...N...D.=+
    0030 - 46 a1 16 4d 4b aa 0d e4-63 68 ae b9 b8 27 16 d5   F..MK...ch...'..
    0040 - 1b d0 00 2c a5 48 5d b4-ba 44 3e 97 40 3e 74 ac   ...,.H]..D>.@>t.
    0050 - 76 94 e4 ae 1b c5 bb 44-48 49 88 65 cc 3c fc 95   v......DHI.e.<..
    0060 - 6e 92 ee 54 44 b1 f0 b1-7e 28 7d 5d 28 d1 00 1a   n..TD...~(}](...
    0070 - 8e f3 53 34 bc d9 c7 7f-e5 21 1c 15 cf 19 21 4f   ..S4.....!....!O
    0080 - 2b 51 b4 7c cf dd de 51-50 ce e2 b9 5f bd 65 55   +Q.|...QP..._.eU
    0090 - c4 0d fc 0f 6f ee 40 08-ac 7c fa 2a fa 9c 07 1d   ....o.@..|.*....
    00a0 - 60 97 19 fd f5 7f 3e 73-c0 24 0a 51 63 0d db 73   `.....>s.$.Qc..s

    Start Time: 1547551254
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
==========

OpenSSL version:

$ openssl version
OpenSSL 1.1.1a  20 Nov 2018

OS version:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.1 LTS
Release:        18.04
Codename:       bionic
----------------------------------
Is it a bug?

with regards,
Saravanan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Why openssl is printing session ID where there is none sent by server, when using session ticket?

Matt Caswell-2


On 15/01/2019 11:29, M K Saravanan wrote:
> Hi,
>
> When I use openssl s_client to connect to a server which uses session
> ticket to resume a session (session ID is turned off), openssl is
> still printing a session ID where none is sent by the server (packet
> capture shows session ID length = zero in the Server Hello).


This is perhaps best explained by this comment in the client side code for
processing a new ticket from the server:

    /*
     * There are two ways to detect a resumed ticket session. One is to set
     * an appropriate session ID and then the server must return a match in
     * ServerHello. This allows the normal client session ID matching to work
     * and we know much earlier that the ticket has been accepted. The
     * other way is to set zero length session ID when the ticket is
     * presented and rely on the handshake to determine session resumption.
     * We choose the former approach because this fits in with assumptions
     * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
     * SHA256 is disabled) hash of the ticket.
     */

So in other words, when the client receives a ticket from the server it assigns
it its own session id. This session id will be presented back to the server when
the client attempts to resume using the ticket - and the server MUST echo it
back if it accepts the ticket.

Matt




>
> ==========
> New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>     Session-ID: 8C7B3863F4B599A10BB83258D0FCE0530CC3C858DC0E2561199599C4806D7457
>     Session-ID-ctx:
>     Master-Key:
> 226360F20D74DB3F5FED014C20AD897CF75C21D14FA358BE934BD50FAF4F1696CB9A05A45F6FACDD46D912CDAE060D0F
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 3600 (seconds)
>     TLS session ticket:
>     0000 - c9 c2 1a de f4 8f 59 1f-2a e1 58 b3 71 9f 9a 5f   ......Y.*.X.q.._
>     0010 - 2f eb 0f a6 4c 0a e4 11-d9 db 52 7f 12 f6 0e a6   /...L.....R.....
>     0020 - ec 2a c2 9b 3c d3 f5 b0-4e 93 b0 eb 44 12 3d 2b   .*..<...N...D.=+
>     0030 - 46 a1 16 4d 4b aa 0d e4-63 68 ae b9 b8 27 16 d5   F..MK...ch...'..
>     0040 - 1b d0 00 2c a5 48 5d b4-ba 44 3e 97 40 3e 74 ac   ...,.H]..D>.@>t.
>     0050 - 76 94 e4 ae 1b c5 bb 44-48 49 88 65 cc 3c fc 95   v......DHI.e.<..
>     0060 - 6e 92 ee 54 44 b1 f0 b1-7e 28 7d 5d 28 d1 00 1a   n..TD...~(}](...
>     0070 - 8e f3 53 34 bc d9 c7 7f-e5 21 1c 15 cf 19 21 4f   ..S4.....!....!O
>     0080 - 2b 51 b4 7c cf dd de 51-50 ce e2 b9 5f bd 65 55   +Q.|...QP..._.eU
>     0090 - c4 0d fc 0f 6f ee 40 08-ac 7c fa 2a fa 9c 07 1d   ....o.@..|.*....
>     00a0 - 60 97 19 fd f5 7f 3e 73-c0 24 0a 51 63 0d db 73   `.....>s.$.Qc..s
>
>     Start Time: 1547551254
>     Timeout   : 7200 (sec)
>     Verify return code: 18 (self signed certificate)
>     Extended master secret: no
> ==========
>
> OpenSSL version:
>
> $ openssl version
> OpenSSL 1.1.1a  20 Nov 2018
>
> OS version:
> $ lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:    Ubuntu 18.04.1 LTS
> Release:        18.04
> Codename:       bionic
> ----------------------------------
> Is it a bug?
>
> with regards,
> Saravanan
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Why openssl is printing session ID where there is none sent by server, when using session ticket?

M K Saravanan
Hi Matt,

On Tue, 15 Jan 2019 at 20:02, Matt Caswell <[hidden email]> wrote:

> This is perhaps best explained by this comment in the client side code for
> processing a new ticket from the server:
>
>     /*
>      * There are two ways to detect a resumed ticket session. One is to set
>      * an appropriate session ID and then the server must return a match in
>      * ServerHello. This allows the normal client session ID matching to work
>      * and we know much earlier that the ticket has been accepted. The
>      * other way is to set zero length session ID when the ticket is
>      * presented and rely on the handshake to determine session resumption.
>      * We choose the former approach because this fits in with assumptions
>      * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
>      * SHA256 is disabled) hash of the ticket.
>      */

Beautiful!  Thank you so much for the clarification.

with regards,
Saravanan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users