portable icon indicating copy to clipboard operation
portable copied to clipboard
verified publisher icon libressl

TLS session resumption code not used on server any more?

Open Ono-Sendai opened this issue 8 months ago • 6 comments

Hi all, I'm trying and failing to get TLS session resumption working with libtls. I'm using libtls on both the client and server.

I have set tls_config_set_session_lifetime(tls_configuration, 3600 * 24); on the server and tls_config_set_session_fd on the client.

However, tls_conn_session_resumed() is returning 0.

Looking through the libressl code, It appears to me that the server-side session resumption code is not even called with TLS 1.3. (and probably not with other TLS versions). Contrast:

libressl-3.5.2\ssl\ssl_srvr.c, in ssl3_get_client_hello():

i = ssl_get_prev_session(s, &session_id, &ext_block, &al);
if (i == 1) { /* previous session */
	s->internal->hit = 1;
} else if (i == -1)
	goto fatal_err;
else {
	/* i == 0 */
	if (!ssl_get_new_session(s, 1))
		goto err;
}

in libressl-3.5.2\ssl\tls13_server.c in tls13_server_init():

if (!ssl_get_new_session(s, 0)) /* XXX */
	return 0;

I don't see any calls to ssl_get_prev_session() in tls13_server.c, and the XXX comment is very suspcious. The issue remains with libressl 4.0.

Am I missing something here? Can anyone confirm TLS session resumption is working with a TLS 1.3 server?

Cheers, Nick

Ono-Sendai avatar Apr 06 '25 15:04 Ono-Sendai

Am I missing something here? Can anyone confirm TLS session resumption is working with a TLS 1.3 server?

Session resumption in TLSv1.3 requires pre-shared keys which isn't currently implemented (but may be at some point). If you need session resumption, you need to use TLSv1.2.

botovq avatar Apr 06 '25 15:04 botovq

Looking through the libressl code, It appears to me that the server-side session resumption code is not even called with TLS 1.3. (and probably not with other TLS versions).

It is called if a TLSv1.2 client connects to a TLSv1.3 server since it will go through tls13_use_legacy_server() and end up in the legacy state machine in ssl_srvr.c at SSL3_ST_SR_CLNT_HELLO_A, which will call ssl3_get_client_hello(). Likewise, if you have a TLSv1.2 server you will end up there.

botovq avatar Apr 06 '25 15:04 botovq

ok, thanks.

Ono-Sendai avatar Apr 06 '25 16:04 Ono-Sendai

Is there a summary somewhere of what is supported from TLS 1.3? Are single RTT handshakes supported?

Ono-Sendai avatar Apr 07 '25 10:04 Ono-Sendai

Am I missing something here? Can anyone confirm TLS session resumption is working with a TLS 1.3 server? Session resumption in TLSv1.3 requires pre-shared keys which isn't currently implemented (but may be at some point). If you need session resumption, you need to use TLSv1.2.

Btw if something doesn't work, despite there being an API to enable it, it should be documented somewhere that it doesn't work.

Ono-Sendai avatar Apr 07 '25 11:04 Ono-Sendai

Btw if something doesn't work, despite there being an API to enable it, it should be documented somewhere that it doesn't work.

I agree with you. This is less than ideal. There are a couple of things that should be revisited and improved in the libtls documentation. It's just the way it is with a small team, some things take rather longer than they should...

botovq avatar Apr 07 '25 18:04 botovq