1. We can restrict some of the clients from possessing the ticket for
the server and check its extension; the extension is expected to
be empty.
2. During Handshake, before sending the NewSessionTicket to the
client we must check for the client message status, i.e. whether
it’s verified or not, the expected status is the finished message of
the client to be verified.
3. When the ticket is received by the client, we must check for the
opacity of the message.
4. When the server sends the new ticket to a client, we must test
for the presence of Master Secret and other parameters which
are required for the current session.
5. After the completion of the Handshake, test conditions should be
put of the flow of the messages between the server and the
client; this should obey the conventional flow as expected
6. On the rejection of the ticket, the full handshake should take
place and test conditions should be applied to check whether the
expected new ticket has been issued to the client (if it lies in the
respective case)
7. If the client is prepared for receiving and sending ticket, we must
check that it posses at least a Zero length ticket in the Session
ticket extension.
8. In the ticket verification phase, if the server fails then a test case
for the full handshake to have failed should be expected and
checked.
9. If the full handshake fails, a test case on it acceptance should be
applied and checked for the ticket deletion by the client.
10.Validity of the ticket in the client- this test condition should be
applied to check that the client has verified the servers finished
message.
11. Since the updated ticket is issued before the handshake
completes, it is possible that the client may not put the new
ticket into use before it initiates new connections, so the test
condition should be applied to check the start of the new ticket
issued to the client.
12.Ticket should be encrypted in such a way that it should not be
visible 2 any eavesdropper nor the client, while sending the
ticket to the client, a check on the parameters passed and the
secret key withheld with the server must be checked.
13. TICKET LIFETIME- it is indicated in the ticket lifetime field from
the server and it indicates the life time in seconds, if the value is
zero then it means the expiry is unspecified; a test condition
should be applied to check whether the client which used the
ticket DELETES it after its usage/expiry.
14. Ticket should be structure in such a way that it is not examinable
by the clients.
struct {
opaque key_name[16];
opaque iv[16];
opaque encrypted_state<0..2^16-1>;
opaque mac[20];
} ticket;