[PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)
Maxim Dounin
mdounin at mdounin.ru
Mon Jan 24 14:24:01 UTC 2022
Hello!
On Mon, Jan 24, 2022 at 03:35:18PM +0300, Sergey Kandaurov wrote:
> > On 21 Jan 2022, at 06:57, Maxim Dounin <mdounin at mdounin.ru> wrote:
> >
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1642737110 -10800
> > # Fri Jan 21 06:51:50 2022 +0300
> > # Node ID cff51689a4a182cb11cba2eb9303e2bc21815432
> > # Parent 96ae8e57b3dd1b10f29d3060bbad93b7f9357b92
> > SSL: always renewing tickets with TLSv1.3 (ticket #1892).
> >
> > Chrome only use TLS session tickets once with TLS 1.3, likely following
>
> uses ?
Fixed, thnx.
> > RFC 8446 Appendix C.4 recommendation.
>
> Besides that, there's a study [1] that discusses 3rd-party
> tracking via session resumption. Although improvements
> in TLS 1.3 that provide different PSK identities in session
> tickets are used to protect against correlation by a passive
> observer, the study suggests to completely deactivate TLS 1.3
> session resumption for privacy reasons.
Sure, but this is certainly unrelated to Chrome behaviour, since
it does accept and use new session tickets, thus allowing infinite
tracking.
> This might be also due to 0-RTT Anti-Replay guidance in case
> the selection from available tickets is agnostic to 0-RTT.
> Practical analysis in [2] demonstrates that Chrome(ium) indeed
> selects among tickets never used before. It doesn't make clear
> separation, though, whether this depends on sending 0-RTT.
The particular behaviour was observed with 0-RTT disabled on the
server ("ssl_early_data off;", the default), so browser knows in
advance that 0-RTT is not going to be used. While it might be the
reason, this would be suboptimal behaviour.
> [1] https://arxiv.org/abs/1810.07304
> [2] "A Survey of TLS 1.3 0-RTT Usage", Mihael Liskij
>
> > With OpenSSL, this works fine with
> > built-in session tickets, since these are explicitly renewed in case of
> > TLS 1.3 on each session reuse, but results in only two connections being
> > reused after an initial handshake when using ssl_session_ticket_key.
> >
> > Fix is to always renew TLS session tickets in case of TLS 1.3 when using
> > ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.
> >
> > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> > --- a/src/event/ngx_event_openssl.c
> > +++ b/src/event/ngx_event_openssl.c
> > @@ -4448,7 +4448,21 @@ ngx_ssl_session_ticket_key_callback(ngx_
> > return -1;
> > }
> >
> > - return (i == 0) ? 1 : 2 /* renew */;
> > + /* renew if TLSv1.3 */
> > +
> > +#ifdef TLS1_3_VERSION
> > + if (SSL_version(ssl_conn) == TLS1_3_VERSION) {
> > + return 2;
> > + }
> > +#endif
> > +
> > + /* renew if non-default key */
> > +
> > + if (i != 0) {
> > + return 2;
> > + }
> > +
> > + return 1;
> > }
> > }
> >
>
> Looks good.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list