'session_tickets off' option for TLS 1.3

Alexander Smirnov alexander at smirn0v.ru
Sun Apr 12 19:12:48 UTC 2020


I have found that in TLS 1.3 mode nginx doesn't fully disable session
tickets even with

session_tickets off;

According to https://www.openssl.org/docs/man1.1.1/man3/SSL_get_options.html

SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);

is not enough to disable session tickets. It only disables stateless
tickets but preserves stateful ones.

It can be easily verified with

openssl s_client -connect localhost:443

Nginx still returns session tickets.

To fully disable tickets

SSL_CTX_set_num_tickets(conf->ssl.ctx, 0);

should also be called.

I am not sure on changes. Not sure if I fully understand your intentions on
this nginx behaviour. Could you please review the proposed patch ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20200412/00d2290b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: session_tickets_off_tls_1_3.patch
Type: application/octet-stream
Size: 2032 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20200412/00d2290b/attachment.obj>

More information about the nginx-devel mailing list