śr., 2 sty 2019 o 19:04 Olivier Houchard <ohouch...@haproxy.com> napisał(a): > You're right indeed. 0RTT was added with a development version of OpenSSL > 1.1.1, > which had a default value for max early data of 16384, but it was changed to > 0 in the meanwhile. > Does the attached patch work for you ?
This indeed results in following when using s_client: Max Early Data: 16385 However, I believe it still does not work. I was trying again to test it with s_client. Without allow-0rtt option I can resume TLS 1.3 session without problem: openssl s_client -connect host:port -sess_out sessfile openssl s_client -connect host:port -sess_in sessfile This results with: Reused, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 As soon as I add allow-0rtt (and your patch) above s_client results always with a new session: New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 No matter what I do I was not able to resume any session with allow-0rtt active. Just to rule out that I am using s_client in a wrong way I've made the same test against s_server. I was able to successfully resume session and even send early data that was accepted. So I believe that there is still something wrong in haproxy with TLS session handling. -- Janusz Dziemidowicz