Hello,
I have found that in TLS 1.3 mode nginx doesn't fully disable session
tickets even with
session_tickets off;
According to https://www.openssl.org/docs/man1.1.1/man3/SSL_get_options.html
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
is not enough to disable session tickets. It only disables stateless
tickets but preserves stateful ones.
It can be easily verified with
openssl s_client -connect localhost:443
Nginx still returns session tickets.
To fully disable tickets
SSL_CTX_set_num_tickets(conf->ssl.ctx, 0);
should also be called.
I am not sure on changes. Not sure if I fully understand your intentions on
this nginx behaviour. Could you please review the proposed patch ?
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel