Welcome! Log In Create A New Profile

Advanced

[PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Maxim Dounin
January 20, 2022 11:02PM
# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1642737110 -10800
# Fri Jan 21 06:51:50 2022 +0300
# Node ID cff51689a4a182cb11cba2eb9303e2bc21815432
# Parent 96ae8e57b3dd1b10f29d3060bbad93b7f9357b92
SSL: always renewing tickets with TLSv1.3 (ticket #1892).

Chrome only use TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation. With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.

Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -4448,7 +4448,21 @@ ngx_ssl_session_ticket_key_callback(ngx_
return -1;
}

- return (i == 0) ? 1 : 2 /* renew */;
+ /* renew if TLSv1.3 */
+
+#ifdef TLS1_3_VERSION
+ if (SSL_version(ssl_conn) == TLS1_3_VERSION) {
+ return 2;
+ }
+#endif
+
+ /* renew if non-default key */
+
+ if (i != 0) {
+ return 2;
+ }
+
+ return 1;
}
}


_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Subject Author Views Posted

[PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Maxim Dounin 151 January 20, 2022 11:02PM

Re: [PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Sergey Kandaurov 61 January 24, 2022 07:38AM

Re: [PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Maxim Dounin 121 January 24, 2022 09:26AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 121
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready