> On Jan 23, 2019, at 9:57 PM, Matt Caswell <matt@xxxxxxxxxxx> wrote: > > > > On 23/01/2019 13:01, Arran Cudbard-Bell wrote: >> As per the subject line: >> >> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF) >> >> does not seem to disable generation of stateless tickets with TLS 1.3: > > No - nor does it disable *stateless* tickets with TLSv1.2. The purpose of the > above call is to disable session caching on the server. Since the whole point > about stateless tickets is to not require caching this has no effect on > stateless tickets. Apologies, I meant stateful tickets. SSL_OP_NO_TICKET was already set to disable stateless tickets. > So we might expect that if we disable the session cache (using > SSL_SESS_CACHE_OFF) *and* disable stateless ticket generation using > SSL_OP_NO_TICKET then no tickets at all would be generated in TLSv1.3. On > testing this that doesn't seem to be the case. This appears to be an OpenSSL bug > - and I assume that is the scenario you are hitting. OK, thanks for confirming. > Interestingly I note that the tickets generated in such a case are useless. If > you attempt to resume using them then it doesn't work. So if your intention is > simply to prevent resumption at all costs, then you have achieved it already (in > spite of the bug that creates the tickets). That is interesting indeed, and good to know. > I created a new github issue to track this problem: Appreciated. -Arran -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
