所以我在 nginx 中使用 TLSv1.3,在测试期间curl我openssl看到了以下模式:
curl -v https://domain-using-tls2:
...
<request headers>
>
* TLSv1.2 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
<response headers>
...
curl -v https://domain-using-tls3:
...
<request headers>
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
<response headers>
...
并用 挖掘openssl s_client -connect domain-using-tls3:443,以下块出现两次(连续)具有不同的值:
...
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 819CA63CCA685293BDC0B45243F835AE891F55144218CB8FB35AA7F21C37B5AF
Session-ID-ctx:
Resumption PSK: EC0F7DAEFA69EF162BDB2D23D7017D5E4D5F8B4E37461C016FFEE110EA7A9DB42B0C4E34558780CBDEE1827E2A70A0F7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 62 b6 46 5a d2 1e f5 0d-6c 05 a1 00 f7 0d 5b bd b.FZ....l.....[.
0010 - bd 4e 27 96 cc ee 88 dd-a3 5f 03 6f fb 5b 0d 1f .N'......_.o.[..
Start Time: 1606408171
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
...
所以,我的问题是:TLSv1.3 协议中是否有一些东西强制 nginx 发送会话票两次,或者它是 nginx 的特殊内容?因为它看起来只是一些多余的东西,会被客户忽略......