Re: tls 1.3: sending multiple tickets

> On 17 Jun 2024, at 19:38, Andres Freund <andres(at)anarazel(dot)de> wrote:

> Note the second to last paragraph: Because we use SSL_OP_NO_TICKET we trigger
> use of stateful tickets. Which afaict are never going to be useful, because we
> don't share the necessary state.

Nice catch, I learned something new today. I was under the impression that the
flag turned of all tickets but clearly not.

> I guess openssl really could have inferred this from the fact that we *do*
> call SSL_CTX_set_session_cache_mode(SSL_SESS_CACHE_OFF), b

Every day with the OpenSSL API is an adventure.

> Seems we ought to use SSL_CTX_set_num_tickets() to prevent issuing the useless
> tickets?

Agreed, in 1.1.1 and above as the API was only introduced then. LibreSSL added
the API in 3.5.4 but only for compatibility since it doesn't support TLS
tickets at all.

> It seems like a buglet in openssl that it forces each session tickets to be
> sent in its own packet (it does an explicit BIO_flush(), so even if we
> buffered between openssl and OS, as I think we should, we'd still send it
> separately), but I don't really understand most of this stuff.

I don't see anything in the RFCs so not sure.

The attached applies this, and I think this is backpatching material since we
arguably fail to do what we say in the code. AFAIK we don't have a hard rule
against backpatching changes to autoconf/meson?

--
Daniel Gustafsson