[gnutls-devel] [resent][PATCH] fix SessionTicket when server opted for not renewing ticket

Yuriy M. Kaminskiy yumkam at gmail.com
Fri Mar 18 14:32:30 CET 2016

On 18.03.2016 15:05, Nikos Mavrogiannopoulos wrote:
> On Wed, Mar 16, 2016 at 9:34 PM, Yuriy M. Kaminskiy <yumkam at gmail.com> wrote:
>> When I played with fixed (wrt ALPN-with-sessions) gnutls library and
>> curl, I noticed in wireshark capture for
>>    `curl -v -c jar --location https://www.google.com/ncr
>> https://www.google.com/ncr`,
>> that SessionTickets are used only *once*:
>> 1.ClientHello (empty session id, empty SessionTicket)
>>    <ServerHello (empty session_id, empty SessionTicket)
>>    <Certificate
>>    ClientKeyExchange
>>    ...
>>    <NewSessionTicket [1]
>>    <ChangeCipherSpec
>>    ChangeCipherSpec
>>    ...
>> 2.ClientHello (new random session id[2], SessionTicket with data
>>    from [1])
>>    <ServerHello (same session id[2], *no* SessionTicket)
>>    <ChangeCipherSpec
>>    ...
>>    (=resumed client/ticket-stored session)
>> 3.ClientHello (same session id[2], *no* SessionTicket extension)
>>    <ServerHello (*new* random session id[3], *no* SessionTicket extension)
>>    <Certificate
>>    ClientKeyExchange
>>    ...
>>    <ChangeCipherSpec
>>    ...
>>    (=non-resumed full handshake, establish new server-stored session)
>> 4.ClientHello (same session id[3], *no* SessionTicket extension)
>>    <ServerHello (same session id[3], *no* SessionTicket extension)
>>    <ChangeCipherSpec
>>    (=resumed server-stored session)
>> I've addede debug print of session data in curl, it looks like session
>> data saved after step 2 is 150+ bytes shorter (apparently, it does not
>> contain SessionTicket data).
>> After looking at rfc5077, it looks like server is allowed to resume
>> session this way, and client should just keep old SessionTicket data.
>> However, gnutls forgets it instead.
>   I am unable to understand which scenario does not work from the
> description. Could you describe only the non-working scenario and if
> possible provide some reproducer with gnutls-cli or a sample gnutls
> application?
You need to resume session 2 or more times, with server that opt for 
*not* renewing ticket (e.g. https://www.google.com show this behavior 
for me).
$ wireshark-gtk -p -f 'tcp && port https' &
Set filter to ssl.handshake, start capture.
$ gnutls-cli --inline-commands www.google.com

Current behavior: SessionTicket is used only once, on 2nd resume 
SessionTicket is not sent by client, and 2nd resume fails (fallbacks^1 
to full handshake), 3rd and following uses server-side sessions and 
don't even try to use SessionTicket (look for presence of "SessionTicket 
TLS" extension in ClientHello).

Correct behavior (with my patch): SessionTicket is used all times (empty 
on first connect, same data on all following), full handshake is used 
only on first connect.

^1 once again, this is *not* a user-visible error, it correctly handled 
inside gnutls. Only problem - tiny bit larger resource consumption (and 
server-side [non-SessionTicket] sessions are more heavy for server).

More information about the Gnutls-devel mailing list