0

TLS 1.3 supports session resumption using pre-shared keys. After a successful handshake the server may send the client a NewSessionTicket record, that contains a pre-shared key. The client may use this pre-shared key in order to resume the session in the future.

On the client side, I need to read the NewSessionTicket so I can later use the PSK to resume the session. The client should be able to run once and conduct a full handshake. Later, the client should be able to run again and conduct a psk session resumption.

I am having trouble reading the NewSessionTicket sent by the server using OpenSSL. I tried to use SSL_Read but it just returned an empty buffer. I also tried to use SSL_SESSION_get0_ticket_appdata but it didn't work too. Lastly, I tried to use SSL_get_psk_identity, but again it just returned a null pointer.

What is the proper way to read the NewSessionTicket?

Ido
  • 397
  • 2
  • 7
  • 22
  • 1
    SSL_read is only for application data, which a session ticket is not. Could you please explain your use case, i.e. not only **that** you want to read NewSessionTicket but **why**? Usually OpenSSL handles the reuse of sessions transparently, so nothing needs to be done by the client. – Steffen Ullrich Dec 04 '22 at 17:30
  • 1
    @SteffenUllrich+ on server side it's automatic, but on client side -- since libssl originally didn't know server identity at clienthello time, and still might not -- code must save the SSL_SESSION object from the first or earlier connection and set it on the next. Through 1.2 this truly was session parameters including master secret; in 1.3 it's parameters for a NewTicket-generated PSK. Note that if you could read the NewTicket message it would not be sufficient to do resumption because it must be combined with the locally-KDFed key. – dave_thompson_085 Dec 04 '22 at 20:18
  • @SteffenUllrich I added the *why*. Are you sure the reuse of sessions is done transparently by OpenSSL? Is it documented somewhere? I could not find any resource – Ido Dec 05 '22 at 07:35
  • @Ido: *"Edit: I need to read the NewSessionTicket so I can later use the PSK to resume the session."* - reusing the same session on a different socket is done using SSL_get_session (or better SSL_get1_session to increase the reference counter) and SSL_set_session, which also work with the session mechanism in lower TLS versions. – Steffen Ullrich Dec 05 '22 at 07:37
  • 1
    Note that SSL_get_session/SSL_get1_session only return details for the last session ticket sent by the server. If the server hasn't sent a session ticket yet then the returned value cannot be used for resumption. A better mechanism is to use SSL_CTX_sess_set_new_cb() to set a callback so that your application is informed about the arrival of new session tickets. See the man pages https://www.openssl.org/docs/man3.0/man3/SSL_get1_session.html and https://www.openssl.org/docs/man3.0/man3/SSL_CTX_sess_set_new_cb.html – Matt Caswell Dec 05 '22 at 09:08
  • The client application terminates between the sessions so no data is kept in memory. The first time the client runs it conducts a full handshake and receives a pre-shared key. The next time the client runs it should supply the PSK. – Ido Dec 05 '22 at 15:12
  • 1
    Then write the SSL_SESSION object(s) somewhere that will persist, like a file or database, and when appropriate read it (or them) back. For a simple/minimal example, see `sess_out` and `sess_in` in `apps/s_client.c`. But note many probably most servers discard or invalidate resumption tickets after some time limit, like 10 minutes or an hour, or if their cache fills. – dave_thompson_085 Dec 05 '22 at 17:36
  • @dave_thompson_085 I managed to store the SSL_SESSION in a file. My understanding is that you need to use SSL_CTX_set_psk_use_session_callback() in order to handle session resumption. When this callback function is triggered it is supposed to store the psk identity inside *id*. But at this point I only have the SSL_SESSION object that I backed up earlier. How can I get the psk identity? See: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_psk_use_session_callback.html – Ido Dec 06 '22 at 14:49
  • 1
    No, those are for manual PSKs. For session resumption, use `SSL_set_session` like in earlier protocols (although the session object is internally different). – dave_thompson_085 Dec 06 '22 at 15:39
  • Thank you so much!! I finally managed to make it work – Ido Dec 07 '22 at 10:38

0 Answers0