5

So I was playing with TLSv1.3 in nginx and during the tests with curl and openssl I saw the following pattern:

curl -v https://domain-using-tls2:

...
<request headers>
>
* TLSv1.2 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
<response headers>
...

curl -v https://domain-using-tls3:

...
<request headers>
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
<response headers>
...

And digging with openssl s_client -connect domain-using-tls3:443, the following block appears twice (consecutively) with different values:

...
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 819CA63CCA685293BDC0B45243F835AE891F55144218CB8FB35AA7F21C37B5AF
    Session-ID-ctx: 
    Resumption PSK: EC0F7DAEFA69EF162BDB2D23D7017D5E4D5F8B4E37461C016FFEE110EA7A9DB42B0C4E34558780CBDEE1827E2A70A0F7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 62 b6 46 5a d2 1e f5 0d-6c 05 a1 00 f7 0d 5b bd   b.FZ....l.....[.
    0010 - bd 4e 27 96 cc ee 88 dd-a3 5f 03 6f fb 5b 0d 1f   .N'......_.o.[..

    Start Time: 1606408171
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
...

So, my question is: Is there something in the TLSv1.3 protocol that forces nginx to send session ticket twice or is it something particular of the nginx ? because it looks just something redundant that is gonna be ignored by the client....

123
  • 51
  • 2
  • 4
  • 1
    Ticket is different in TLS1.3 than earlier versions; it actually sets the name for a derived PSK that preserves forward secrecy and there can be more than one, see RFC8446. Nginx uses OpenSSL and apparently does not alter the [default of 2](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_num_tickets.html). I'm not sure why OpenSSL chose that default, but you can see it also with `openssl s_sarver` and `openssl s_client`. If you care to pursue this, it isn't really a programming question or problem and would be more suitable on https://security.stackexchange.com . – dave_thompson_085 Nov 28 '20 at 07:07
  • I encountered a similar problem. The link is similar (nginx + openssl tls 1.3). In my case there is authorization via cookie, which consists of several subrequests, and in automatic mode with saving cookie to file nothing works. On the next request the cookie is replaced, which leads to a 403 error – ktscript May 12 '21 at 05:30

0 Answers0