'session_tickets off' option for TLS 1.3
Alexander Smirnov
alexander at smirn0v.ru
Sun Apr 12 19:12:48 UTC 2020
Hello,
I have found that in TLS 1.3 mode nginx doesn't fully disable session
tickets even with
session_tickets off;
According to https://www.openssl.org/docs/man1.1.1/man3/SSL_get_options.html
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
is not enough to disable session tickets. It only disables stateless
tickets but preserves stateful ones.
It can be easily verified with
openssl s_client -connect localhost:443
Nginx still returns session tickets.
To fully disable tickets
SSL_CTX_set_num_tickets(conf->ssl.ctx, 0);
should also be called.
I am not sure on changes. Not sure if I fully understand your intentions on
this nginx behaviour. Could you please review the proposed patch ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20200412/00d2290b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: session_tickets_off_tls_1_3.patch
Type: application/octet-stream
Size: 2032 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20200412/00d2290b/attachment.obj>
More information about the nginx-devel
mailing list