[PATCH] SSL: always renewing tickets with TLSv1.3 (ticket #1892)
Sergey Kandaurov
pluknet at nginx.com
Mon Jan 24 12:35:18 UTC 2022
> On 21 Jan 2022, at 06:57, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1642737110 -10800
> # Fri Jan 21 06:51:50 2022 +0300
> # Node ID cff51689a4a182cb11cba2eb9303e2bc21815432
> # Parent 96ae8e57b3dd1b10f29d3060bbad93b7f9357b92
> SSL: always renewing tickets with TLSv1.3 (ticket #1892).
>
> Chrome only use TLS session tickets once with TLS 1.3, likely following
uses ?
> RFC 8446 Appendix C.4 recommendation.
Besides that, there's a study [1] that discusses 3rd-party
tracking via session resumption. Although improvements
in TLS 1.3 that provide different PSK identities in session
tickets are used to protect against correlation by a passive
observer, the study suggests to completely deactivate TLS 1.3
session resumption for privacy reasons.
This might be also due to 0-RTT Anti-Replay guidance in case
the selection from available tickets is agnostic to 0-RTT.
Practical analysis in [2] demonstrates that Chrome(ium) indeed
selects among tickets never used before. It doesn't make clear
separation, though, whether this depends on sending 0-RTT.
[1] https://arxiv.org/abs/1810.07304
[2] "A Survey of TLS 1.3 0-RTT Usage", Mihael Liskij
> With OpenSSL, this works fine with
> built-in session tickets, since these are explicitly renewed in case of
> TLS 1.3 on each session reuse, but results in only two connections being
> reused after an initial handshake when using ssl_session_ticket_key.
>
> Fix is to always renew TLS session tickets in case of TLS 1.3 when using
> ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.
>
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -4448,7 +4448,21 @@ ngx_ssl_session_ticket_key_callback(ngx_
> return -1;
> }
>
> - return (i == 0) ? 1 : 2 /* renew */;
> + /* renew if TLSv1.3 */
> +
> +#ifdef TLS1_3_VERSION
> + if (SSL_version(ssl_conn) == TLS1_3_VERSION) {
> + return 2;
> + }
> +#endif
> +
> + /* renew if non-default key */
> +
> + if (i != 0) {
> + return 2;
> + }
> +
> + return 1;
> }
> }
>
Looks good.
--
Sergey Kandaurov
More information about the nginx-devel
mailing list