Topic: wolfSSL_get1_session returns NULL for ticket-resumed session (RFC5077)
I am trying to use TLS session resumption with wolfSSL, but I encountered some issues when enabling RFC 5077 session tickets (wolfSSL_UseSessionTicket).
As shown in the cllient-tls-resume example (https://github.com/wolfSSL/wolfssl-exam … s-resume.c), I use wolfSSL_get1_session to get the session pointer (for now, I am relying on the internal session cache) before calling wolfSSL_shutdown on the ssl object.
Then, after creating a new ssl object with wolfSSL_new, I call wolfSSL_set_session to set the saved session to the ssl object.
This appears to work fine when I am not using ticket resumption. In such case, wolfSSL_get1_session always returns a non-NULL pointer, also for TLS connections which had been resumed from a previously saved session.
However, with ticket resumption enabled, wolfSSL_get1_session returns NULL for resumed sessions. That is:
1) no session saved, full handshake performed, ticket received from server. wolfSSL_get1_session returns a valid pointer
2) session resumed from the saved session, ticket sent to server, full handshake not performed, connection established. wolfSSL_get1_session returns NULL
It appears to be related to the session ID not really being used with RFC 5077 tickets (section 3.4) and wolfSSL using the session ID internally. Specifically, the NULL is returned because of the
if (ssl->options.haveSessionId == 0) return NULL;
check in GetSession in https://raw.githubusercontent.com/wolfS … /src/ssl.c.
Am I doing something wrong, or is it a limitation of wolfSSL? And if it is a limitation of wolfSSL, are there any suggested workarounds?
I assume I could check for this condition, and if NULL is returned, use the previously stored pointer to resume the session next time. But in such case, I guess I would have to be quite careful about distinguishing this case from genuine errors when the session should be thrown away.