Welcome! Log In Create A New Profile

Advanced

'session_tickets off' option for TLS 1.3

Alexander Smirnov
April 12, 2020 03:14PM
Hello,

I have found that in TLS 1.3 mode nginx doesn't fully disable session
tickets even with

session_tickets off;

According to https://www.openssl.org/docs/man1.1.1/man3/SSL_get_options.html


SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);

is not enough to disable session tickets. It only disables stateless
tickets but preserves stateful ones.

It can be easily verified with

openssl s_client -connect localhost:443

Nginx still returns session tickets.

To fully disable tickets

SSL_CTX_set_num_tickets(conf->ssl.ctx, 0);

should also be called.

I am not sure on changes. Not sure if I fully understand your intentions on
this nginx behaviour. Could you please review the proposed patch ?
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

'session_tickets off' option for TLS 1.3 Attachments

Alexander Smirnov 349 April 12, 2020 03:14PM

Re: 'session_tickets off' option for TLS 1.3

Maxim Dounin 131 April 12, 2020 08:40PM

Re: Re: 'session_tickets off' option for TLS 1.3

Alexander Smirnov 122 April 13, 2020 02:30PM

Re: Re: 'session_tickets off' option for TLS 1.3

Maxim Dounin 130 April 13, 2020 03:36PM

Re: Re: 'session_tickets off' option for TLS 1.3

Alexander Smirnov 129 April 13, 2020 04:42PM

Re: Re: 'session_tickets off' option for TLS 1.3

Maxim Dounin 150 April 13, 2020 05:54PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 149
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready