[PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)

Sergey Kandaurov pluknet at nginx.com
Mon Jan 24 12:35:18 UTC 2022 

> On 21 Jan 2022, at 06:57, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1642737110 -10800
> #      Fri Jan 21 06:51:50 2022 +0300
> # Node ID cff51689a4a182cb11cba2eb9303e2bc21815432
> # Parent  96ae8e57b3dd1b10f29d3060bbad93b7f9357b92
> SSL: always renewing tickets with TLSv1.3 (ticket #1892).
> 
> Chrome only use TLS session tickets once with TLS 1.3, likely following

uses ?

> RFC 8446 Appendix C.4 recommendation.

Besides that, there's a study [1] that discusses 3rd-party
tracking via session resumption.  Although improvements
in TLS 1.3 that provide different PSK identities in session
tickets are used to protect against correlation by a passive
observer, the study suggests to completely deactivate TLS 1.3
session resumption for privacy reasons.

This might be also due to 0-RTT Anti-Replay guidance in case
the selection from available tickets is agnostic to 0-RTT.
Practical analysis in [2] demonstrates that Chrome(ium) indeed
selects among tickets never used before.  It doesn't make clear
separation, though, whether this depends on sending 0-RTT.

[1] https://arxiv.org/abs/1810.07304
[2] "A Survey of TLS 1.3 0-RTT Usage", Mihael Liskij

>  With OpenSSL, this works fine with
> built-in session tickets, since these are explicitly renewed in case of
> TLS 1.3 on each session reuse, but results in only two connections being
> reused after an initial handshake when using ssl_session_ticket_key.
> 
> Fix is to always renew TLS session tickets in case of TLS 1.3 when using
> ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.
> 
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -4448,7 +4448,21 @@ ngx_ssl_session_ticket_key_callback(ngx_
>             return -1;
>         }
> 
> -        return (i == 0) ? 1 : 2 /* renew */;
> +        /* renew if TLSv1.3 */
> +
> +#ifdef TLS1_3_VERSION
> +        if (SSL_version(ssl_conn) == TLS1_3_VERSION) {
> +            return 2;
> +        }
> +#endif
> +
> +        /* renew if non-default key */
> +
> +        if (i != 0) {
> +            return 2;
> +        }
> +
> +        return 1;
>     }
> }
> 

Looks good.

-- 
Sergey Kandaurov

More information about the nginx-devel mailing list