SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); has no effect with TLS 1.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As per the subject line:

	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF) 

does not seem to disable generation of stateless tickets with TLS 1.3:

	SSL_CTX_set_num_tickets(ctx, 0); 

is also required to prevent the tickets being generated.

There's no mention of this additional call on the SSL_CTX_set_session_cache_mode pages (but is documented elsewhere).

It really seems like SSL_SESS_CACHE_OFF should also disable TLS1.3 session tickets if the intent is for TLS 1.3 to mostly be a drop in replacement for TLS <= 1.2.  A user upgrades OpenSSL library and suddenly session resumption enabled where it wasn't before... that doesn't seem right.

In our case this broke our session_resumption control toggle, where 'session_resumption = no' prevented our EAP server implementation from presenting tickets with TLS <= 1.2 but still allowed them if TLS 1.3 was negotiated.

Disabling session resumption is more important with EAP methods like EAP-TTLS and EAP-PEAP because it controls whether phase 2 runs or not - phase 2 being where the actual credential validation happens.

This was tested with current OpensSL master HEAD.  Can test with the 1.1.* branch if that'd help.

-Arran
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux