On Thu, May 21, 2026 at 04:01:22PM -0700, Eric Rescorla wrote:
> During auth48 I noted the following commit:
> https://github.com/tlswg/tls13-spec/commit/81b7ebb15bfe1ace62067cfd9e513d8c993c6ce5
> which adds the requirement that the server receive psk_key_exchange_modes
> before
> it can send NST.
>
> At any time after the server has received **both a "psk_key_exchange_modes"
> extension
> and** the client Finished message, it MAY send a NewSessionTicket message.
>
> The previous text was a bit vague on this, saying:
> restricts the modes for use with PSK resumption. Servers SHOULD NOT
> send NewSessionTicket with tickets that are not compatible with the
> advertised modes; however, if a server does so, the impact will just
> be that the client's attempts at resumption fail.
>
> You could read this as you shouldn't send NST unless the client indicated
> some modes, and so I think this change is good in theory, but I wanted to
> double check that nobody's implementation would somehow be broken
> up by this....
OpenSSL does not send session tickets unless the client explicitly
indicated at least one PSK mode that is also supported by the server.
The phrasing "tickets that are not compatible with the advertised modes"
is however misleading. Nothing about the ticket itself is or isn't
compatible with the PSK modes. Rather, the barrier is whether
resumption is a priori impossible, for lack of a mutually supported PSK
mode, in which case no "compatible" ticket can exist.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
