Have you ever seen a TLS server that was incompatible with TLS session IDs?
I helped to analyze bug 858394 (with the help of ssltap), where initial connections to a TLS server work, but attempts to reconnect fail. If the client includes a non-null session ID parameter in the client hello message, the server immediately terminates the connection. I reproduced the problem using ssltap (from NSS) and using the s_client utility (from openssl). It has been confirmed (using a custom build) that reconnecting with TLS session caching disabled makes reconnections work. Do you agree this is bug on the server side? Should we attempt to identify which TLS toolkits and versions show this broken behaviour? At least NSS/PSM currently don't expect such behaviour. We don't automatically retry without a TLS session ID. Should we? Regards Kai PS: Bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=858394 How to reproduce: # ssltap -s -l 86.65.39.15:6697 # openssl s_client -connect 127.0.0.1:1924 -ssl3 -tls1 \ -no_ssl2 -no_tls1_1 -no_tls1_2 -reconnect -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
