Description
from openssl online document: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_tlsext_ticket_key_cb.html
The return value of the cb function is used by OpenSSL to determine what further processing will occur. The following return values have meaning:
2
This indicates that the ctx and hctx have been set and the session can continue on those parameters. Additionally it indicates that the session ticket is in a renewal period and should be replaced. The OpenSSL library will call cb again with an enc argument of 1 to set the new ticket (see RFC5077 3.3 paragraph 2).
1
This indicates that the ctx and hctx have been set and the session can continue on those parameters.
0
This indicates that it was not possible to set/retrieve a session ticket and the SSL/TLS session will continue by by negotiating a set of cryptographic parameters or using the alternate SSL/TLS resumption mechanism, session ids.
If called with enc equal to 0 the library will call the cb again to get a new set of parameters.
less than 0
This indicates an error.
1948 if (enc == 1) { 1949 const ssl_ticket_key_t &most_recent_key = keyblock->keys[0]; 1950 memcpy(keyname, most_recent_key.key_name, sizeof(most_recent_key.key_name)); 1951 RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH); 1952 EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, most_recent_key.aes_key, iv); 1953 HMAC_Init_ex(hctx, most_recent_key.hmac_secret, sizeof(most_recent_key.hmac_secret), evp_md_func, NULL); 1954 1955 Debug("ssl", "create ticket for a new session."); 1956 SSL_INCREMENT_DYN_STAT(ssl_total_tickets_created_stat); 1957 return 0; 1958 } else if (enc == 0) {
the ssl_callback_session_ticket() should return 1 after create a new ticket but 0 here.
and the traffic.out log for current ATS release:
[Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) create ticket for a new session. [Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) ssl_callback_info ssl: 0x2b0544006840 where: 8193 ret: 1 [Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) ssl_callback_info ssl: 0x2b0544006840 where: 8193 ret: 1 [Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) ssl_callback_info ssl: 0x2b0544006840 where: 8193 ret: 1 [Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) ssl_callback_info ssl: 0x2b0544006840 where: 8193 ret: 1 [Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) ssl_callback_info ssl: 0x2b0544006840 where: 32 ret: 1 [Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) ssl_callback_info ssl: 0x2b0544006840 where: 8194 ret: 1 [Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) trace=FALSE [Dec 28 21:01:12.742] Server {0x2b052fe4b700} DEBUG: (ssl) SSL server handshake completed successfully
the traffic.out log if return 1 here:
[Dec 30 12:47:16.838] Server {0x2b6ec9340700} DEBUG: (ssl) create ticket for a new session. [Dec 30 12:47:16.838] Server {0x2b6ec9340700} DEBUG: (ssl) trace=FALSE [Dec 30 12:47:16.838] Server {0x2b6ec9340700} DEBUG: (ssl) SSL server handshake completed successfully