#StackBounty: #ssl #https #curl TLS 1.3 Session Resumption Using Curl – Every other request uses full handshake

Bounty: 50

I am attempting to test TLS 1.3 session resumption between our embedded devices and cloud server (NGINX). Our embedded devices use libcurl, and have exhibited some odd behavior where only every other request sends a PSK and re-connects with an abbreviated TLS handshake. I’ve been able to recreate this on the command line as well:

curl -X GET --tlsv1.3 -H "Connection: close" --cacert <our_ca_bundle> <url> <url> <url> <url> <url> <url>

The Connection: close is necessary to force the handshake between requests. The URLs are all the same, and every other https request results in an abbreviated handshake.

We get the same behavior with requests from the c++ application using libcurl.

If I test using OpenSSL s_client, it works as expected with all requests after the first using an abbreviated handshake.

echo -en "GET /ping HTTP/1.1rnHost: <HOST>rnConnection: closernrn" | openssl s_client -connect <HOST>:443 -sess_out session -tls1_3 -quiet

echo -en "GET /ping HTTP/1.1rnHost: <HOST>rnConnection: closernrn" | openssl s_client -connect <HOST>:443 -sess_in session -tls1_3

echo -en "GET /ping HTTP/1.1rnHost: <HOST>rnConnection: closernrn" | openssl s_client -connect <HOST>:443 -sess_in session -tls1_3

...and so on

When I try the same curl request against https://google.com it works as expected with every request after the first resuming the TLS connection.

Anyone ideas on why the curl requests behave this way?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.