Rainer Jung wrote:
In the presence of the session ticket extension, session IDs observed on the server are no longer a good measurement for session reuse.
Nice remark, except it's not that, it's really broken. With "session tickets off" (confirmed by the absence of the session ticket extension in the client hello), it's still the same behaviour. Apache 2.2.11/openssl 0.9.8i does not have session tickets enabled in my setup.
This being said : The idea of using non-constant SSL session ID in the specification of the session ticket extension was really *bad*.
