book cover

OpenSSL Cookbook  3rd Edition

The definitive guide to using the OpenSSL command line for configuration and testing. Topics covered in this book include key and certificate management, server configuration, a step by step guide to creating a private CA, and testing of online services. Written by Ivan Ristić.

2.11 Testing Session Resumption

When coupled with the -reconnect switch, the s_client command can be used to test session reuse. In this mode, s_client will connect to the target server six times. It will create a new session on the first connection, then try to reuse the same session in the subsequent five connections:

$ echo | openssl s_client -connect www.feistyduck.com:443 -reconnect
🛈︎
Note

Due to a bug in OpenSSL, at the time of writing session resumption testing doesn’t work in combination with TLS 1.3. Until the bug is resolved,1 the best you can do is test the earlier protocol versions. Use the -no_tls1_3 switch.

The previous command will produce a sea of output, most of which you won’t care about. The key parts are the information about new and reused sessions. There should be only one new session at the beginning, indicated by the following line:

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

This is followed by five session reuses, indicated by lines like this:

Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Most of the time, you don’t want to look at all that output and want an answer quickly. You can get it using the following command line:

$ echo | openssl s_client -connect www.feistyduck.com:443 -reconnect 2> /dev/null | grep 'New\|Reuse'
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Here’s what the command does:

  • The -reconnect switch activates the session reuse mode.

  • The 2> /dev/null part hides stderr output, which you don’t care about.

  • Finally, the piped grep command filters out the rest of the fluff and lets through only the lines that you care about.

🛈︎
Note

If you don’t want to include session tickets in the test—for example, because not all clients support this feature yet—you can disable this method of resumption using the -no_ticket switch. This option doesn’t apply to TLS 1.3.

< Prev
^ Table of Contents
Next >