TLS, Wireshark "this session reuses previously negotiated keys"

Question

I made a Wireshark tap for 2 request:

a HTTP GET to a login authentication page
then a HTTP POST when I send credentials to the server

As you can see, I get a warning message from Wireshark because it seems that the TLS session ID is the same for both "Server Hello" packet number 335 and packet number 400.

Is that normal behaviour?

*"I get a __warning__ message..."* - you don't. The security level is explicitly shown as "Note" which is clearly different from "Warn". See also https://www.wireshark.org/docs/wsug_html_chunked/ChAdvExpert.html . Also, session resumption is perfectly normal and common. — Steffen Ullrich, Apr 04 '18 at 11:08

Stephen King · Answer 1 · 2020-02-06T11:13:11.017

As you can see, I get a warning message from Wireshark because it seems that the TLS session ID is the same for both "Server Hello" packet number 335 and packet number 400.

Notice the Severity level of the message you are receiving:

[Severity level: Note]

You are not receiving a warning message.

Is that normal behaviour?

Yes. It is completely normal for sessions to reuse previously negotiated keys. As the message says, this is session resumption.

See also: What are the differences between Session Ticket and Session ID based Session Resumption?

TLS, Wireshark "this session reuses previously negotiated keys"

1 Answers1