TLSv1.3 session are lost after a graceful restart, which isn't the case with TLSv1.2. Steps to reproduce: - Configure shared-memory session cache: SSLSessionCache shmcb:/path/to/datafile[(size)] - connect with openssl s_client with the -sess_out <file> parameter so that we get a session file. - gracefully restart apache - connect again with openssl s_client, this time with the -sess_in <file> parameter so we use that session from before. - see the full-handshake happening... now to see the difference just do the same steps but don't gracefully restart apache. i have had a look in the sources at ssl_scache.c and the killing respectively the re-initialization of the cache is skipped correctly: at the top of ssl_scache_init: if (ap_is_graceful()) { return APR_SUCCESS; } and also at the beginning of ssl_scache_kill: if (mc->sesscache && !ap_is_graceful()) { mc->sesscache->destroy(mc->sesscache_context, s); } but still something must be wrong because the graceful obviously somehow destroys the session... for more details also see my question on stackoverflow: https://stackoverflow.com/questions/60080365/apaches-sslsessioncache-not-working-correctly-with-tlsv1-3-and-graceful-restart
after some investigations i have an update on this. it is related to the SSLSessionTickets directive. - With "SSLSessionTickets off" resumption works after a graceful restart. - With "SSLSessionTickets on" this doesn't work...
(In reply to Dominik Stillhard from comment #1) > after some investigations i have an update on this. it is related to the > SSLSessionTickets directive. > > - With "SSLSessionTickets off" resumption works after a graceful restart. > > - With "SSLSessionTickets on" this doesn't work... This makes sense. During restart the key to encrypt the session will very likely be recreated. Hence old sessiontickets can no longer be decrypted after the restart.