Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Maxim Dounin
January 24, 2022 09:26AM
Hello!

On Mon, Jan 24, 2022 at 03:35:18PM +0300, Sergey Kandaurov wrote:

> > On 21 Jan 2022, at 06:57, Maxim Dounin <mdounin@mdounin.ru> wrote:
> >
> > # HG changeset patch
> > # User Maxim Dounin <mdounin@mdounin.ru>
> > # Date 1642737110 -10800
> > # Fri Jan 21 06:51:50 2022 +0300
> > # Node ID cff51689a4a182cb11cba2eb9303e2bc21815432
> > # Parent 96ae8e57b3dd1b10f29d3060bbad93b7f9357b92
> > SSL: always renewing tickets with TLSv1.3 (ticket #1892).
> >
> > Chrome only use TLS session tickets once with TLS 1.3, likely following
>
> uses ?

Fixed, thnx.

> > RFC 8446 Appendix C.4 recommendation.
>
> Besides that, there's a study [1] that discusses 3rd-party
> tracking via session resumption. Although improvements
> in TLS 1.3 that provide different PSK identities in session
> tickets are used to protect against correlation by a passive
> observer, the study suggests to completely deactivate TLS 1.3
> session resumption for privacy reasons.

Sure, but this is certainly unrelated to Chrome behaviour, since
it does accept and use new session tickets, thus allowing infinite
tracking.

> This might be also due to 0-RTT Anti-Replay guidance in case
> the selection from available tickets is agnostic to 0-RTT.
> Practical analysis in [2] demonstrates that Chrome(ium) indeed
> selects among tickets never used before. It doesn't make clear
> separation, though, whether this depends on sending 0-RTT.

The particular behaviour was observed with 0-RTT disabled on the
server ("ssl_early_data off;", the default), so browser knows in
advance that 0-RTT is not going to be used. While it might be the
reason, this would be suboptimal behaviour.

> [1] https://arxiv.org/abs/1810.07304
> [2] "A Survey of TLS 1.3 0-RTT Usage", Mihael Liskij
>
> > With OpenSSL, this works fine with
> > built-in session tickets, since these are explicitly renewed in case of
> > TLS 1.3 on each session reuse, but results in only two connections being
> > reused after an initial handshake when using ssl_session_ticket_key.
> >
> > Fix is to always renew TLS session tickets in case of TLS 1.3 when using
> > ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.
> >
> > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> > --- a/src/event/ngx_event_openssl.c
> > +++ b/src/event/ngx_event_openssl.c
> > @@ -4448,7 +4448,21 @@ ngx_ssl_session_ticket_key_callback(ngx_
> > return -1;
> > }
> >
> > - return (i == 0) ? 1 : 2 /* renew */;
> > + /* renew if TLSv1.3 */
> > +
> > +#ifdef TLS1_3_VERSION
> > + if (SSL_version(ssl_conn) == TLS1_3_VERSION) {
> > + return 2;
> > + }
> > +#endif
> > +
> > + /* renew if non-default key */
> > +
> > + if (i != 0) {
> > + return 2;
> > + }
> > +
> > + return 1;
> > }
> > }
> >
>
> Looks good.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Subject Author Views Posted

[PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Maxim Dounin 151 January 20, 2022 11:02PM

Re: [PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Sergey Kandaurov 61 January 24, 2022 07:38AM

Re: [PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Maxim Dounin 120 January 24, 2022 09:26AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 108
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready