Re: SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); has no effect with TLS 1.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Jan 23, 2019, at 9:57 PM, Matt Caswell <matt@xxxxxxxxxxx> wrote:
> 
> 
> 
> On 23/01/2019 13:01, Arran Cudbard-Bell wrote:
>> As per the subject line:
>> 
>> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)
>> 
>> does not seem to disable generation of stateless tickets with TLS 1.3:
> 
> No - nor does it disable *stateless* tickets with TLSv1.2. The purpose of the
> above call is to disable session caching on the server. Since the whole point
> about stateless tickets is to not require caching this has no effect on
> stateless tickets.

Apologies, I meant stateful tickets. SSL_OP_NO_TICKET was already set to disable stateless tickets.

> So we might expect that if we disable the session cache (using
> SSL_SESS_CACHE_OFF) *and* disable stateless ticket generation using
> SSL_OP_NO_TICKET then no tickets at all would be generated in TLSv1.3. On
> testing this that doesn't seem to be the case. This appears to be an OpenSSL bug
> - and I assume that is the scenario you are hitting.

OK, thanks for confirming.

> Interestingly I note that the tickets generated in such a case are useless. If
> you attempt to resume using them then it doesn't work. So if your intention is
> simply to prevent resumption at all costs, then you have achieved it already (in
> spite of the bug that creates the tickets).

That is interesting indeed, and good to know.

> I created a new github issue to track this problem:

Appreciated.

-Arran
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux