Re: TLS session tickets disabled?

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Cameron Vogt <cvogt@automaticcontrols.net>, Tom Lane <tgl@sss.pgh.pa.us>, "pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>
Date: 2024-08-16T08:11:32Z
Lists: pgsql-bugs

Attachments

> On 15 Aug 2024, at 21:33, Daniel Gustafsson <daniel@yesql.se> wrote:
> 
>> On 15 Aug 2024, at 19:52, Jacob Champion <jacob.champion@enterprisedb.com> wrote:
>> 
>> On Thu, Aug 15, 2024 at 10:36 AM Cameron Vogt
>> <cvogt@automaticcontrols.net> wrote:
>>> I don't know enough about TLS handshakes and session tickets to know where the bug truly lies (PostgreSQL/OpenSSL vs .NET's SslStream).
>> 
>> I'm getting the feeling that this is our bug, and that we should be
>> using both SSL_OP_NO_TICKET (for TLSv1.2) and SSL_CTX_set_num_tickets
>> (for TLSv1.3). I don't see any indication in the docs or source that
>> the latter does anything for 1.2.
> 
> Thanks for copying me, I have been on vacation and had missed this thread.  It
> does indeed have the smell of me messing up when reading the OpenSSL docs =(

The attached, backpatched all the way, should be the correct fix.  Sorry for
the mess =(

--
Daniel Gustafsson

Commits

  1. Fix regression in TLS session ticket disabling