book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.

2.12 Keeping Session State across Connections

If you need better control over resumption, the s_client tool provides options to persist the connection state to a file. On your first connection, use the -sess_out switch to record the state:

$ openssl s_client -connect www.feistyduck.com:443 -sess_out sess.pem

To view the recorded state, use the sess_id tool:

$ openssl sess_id -in sess.pem -noout -text
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: F7384C2C4BE621F66045ECE12A89821FEE789C2E75B78C90C428BE37E0FE4599
    Session-ID-ctx: 
    Master-Key: 9D39C582D9AA1618B2F16C7911C4BFFB61D6D1FD578A93B1145FD2B4DBFDE76EB2279BA50AEFFCD95320BEEBC9489FAF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - a2 d3 e3 04 03 21 85 6d-1a 4f 9c 82 fc 4e 15 e0   .....!.m.O...N..
    0010 - 9b b8 b1 24 0d 95 a3 0a-b8 24 d4 f5 d2 be b8 56   ...$.....$.....V
    0020 - b2 f0 e9 c5 e5 53 31 b5-24 74 96 ba e4 56 32 68   .....S1.$t...V2h
    0030 - fe bb 7a 7f 28 d7 c4 19-6a c5 ca 22 3a a7 2d 45   ..z.(...j..":.-E
    0040 - 52 91 74 f7 a8 fa 75 40-02 b9 84 9c 84 0d a8 06   R.t...u@........
    0050 - c7 a1 65 af 8b 54 19 74-52 e8 c4 f4 47 1c 3f f0   ..e..T.tR...G.?.
    0060 - 46 35 1a 3c a9 a5 73 30-33 b7 20 bd dc 8a b8 f9   F5.<..s03. .....
    0070 - 79 20 4a de b3 60 83 53-c7 a7 62 e1 a2 9e 55 8c   y J..`.S..b...U.
    0080 - 24 0a f5 4c ab 81 a5 d9-36 ae 52 61 a1 4e b7 99   $..L....6.Ra.N..
    0090 - 20 9e ca 67 49 ea 80 a4-14 ce ac 36 aa 20 0e 53    ..gI......6. .S
    00a0 - d7 9f 14 a6 7c b9 88 4c-6b 69 93 d4 62 fb 02 50   ....|..Lki..b..P

    Start Time: 1602414785
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no

Finally, to connect again using the same session state, use the -sess_in switch:

$ openssl s_client -connect www.feistyduck.com:443 -sess_in sess.pem

Keeping the state across connections in this way gives you more control and enables you to completely change connection parameters from one connection to another. For example, you could connect to one server on your first attempt, then another server on your second. This may be of use when you need to test if session resumption is correctly implemented on a web server cluster. Manual control of your connections allows you to spread them over time, perhaps testing for session timeouts and ticket key rotation.

< Prev
^ Table of Contents
Next >