|
|
|
|
|
|
by bearhsiung
3189 days ago
|
|
|
NewSessionTicket is sent before ChangeCipherSpec means the message is not encrypted using the master secret exchanged with the handshake and is not necessary means that the session ticket is in plaintext. Quite contrary, it has been encrypted using the server secret key.
In the page 3 of RFC5077, it states "a ticket that is encrypted and integrity-protected by a key known only to the server." and in the page 11, "Tickets must be authenticated and encrypted to prevent modification or eavesdropping by an attacker." |
|
|