śr., 2 sty 2019 o 19:04 Olivier Houchard <ohouch...@haproxy.com> napisał(a):
> You're right indeed. 0RTT was added with a development version of OpenSSL 
> 1.1.1,
> which had a default value for max early data of 16384, but it was changed to
> 0 in the meanwhile.
> Does the attached patch work for you ?

This indeed results in following when using s_client:
    Max Early Data: 16385

However, I believe it still does not work. I was trying again to test
it with s_client.

Without allow-0rtt option I can resume TLS 1.3 session without problem:
openssl s_client -connect host:port -sess_out sessfile
openssl s_client -connect host:port -sess_in sessfile
This results with:
Reused, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256

As soon as I add allow-0rtt (and your patch) above s_client results
always with a new session:
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
No matter what I do I was not able to resume any session with allow-0rtt active.

Just to rule out that I am using s_client in a wrong way I've made the
same test against s_server. I was able to successfully resume session
and even send early data that was accepted. So I believe that there is
still something wrong in haproxy with TLS session handling.

Janusz Dziemidowicz

Reply via email to