Re: tls 1.3: sending multiple tickets
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Andres Freund <andres@anarazel.de>,
PostgreSQL Hackers <pgsql-hackers@postgresql.org>
Date: 2024-07-26T11:55:29Z
Lists: pgsql-hackers
> On 24 Jul 2024, at 07:44, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > > On 18/06/2024 16:11, Daniel Gustafsson wrote: >>> On 17 Jun 2024, at 19:38, Andres Freund <andres@anarazel.de> wrote: >>> Seems we ought to use SSL_CTX_set_num_tickets() to prevent issuing the useless >>> tickets? >> Agreed, in 1.1.1 and above as the API was only introduced then. LibreSSL added >> the API in 3.5.4 but only for compatibility since it doesn't support TLS >> tickets at all. > > Wow, that's a bizarre API. The OpenSSL docs are not clear on what the possible values for SSL_CTX_set_num_tickets() are. It talks about 0, and mentions that 2 is the default, but what does it mean to set it to 1, or 5, for example? It means that 1 or 5 tickets can be sent to the user, OpenSSL accepts an arbitrary number of tickets (tickets can be issued at other points during the connection than the handshake AFAICT). > Anyway, it's pretty clear that SSL_CTX_set_num_tickets(0) can be used to disable tickets, so that's fine. > >>> It seems like a buglet in openssl that it forces each session tickets to be >>> sent in its own packet (it does an explicit BIO_flush(), so even if we >>> buffered between openssl and OS, as I think we should, we'd still send it >>> separately), but I don't really understand most of this stuff. >> I don't see anything in the RFCs so not sure. >> The attached applies this, and I think this is backpatching material since we >> arguably fail to do what we say in the code. AFAIK we don't have a hard rule >> against backpatching changes to autoconf/meson? > > Looks good to me. Backpatching autoconf/meson changes is fine, we've done it before. Thanks for review, I've applied this backpatched all the way. -- Daniel Gustafsson
Commits
-
Fix building with MSVC for TLS session disabling
- e6dd0b8637b3 12.20 landed
- 634710dfb776 13.16 landed
- ddd66a6295c5 14.13 landed
- ce3045e9b0e5 15.8 landed
- 441eba34dfc5 16.4 landed
-
Fix macro placement in pg_config.h.in
- 83b4a6358b0a 16.4 landed
- 1272cfb7277f 17.0 landed
- 161c73462bf2 18.0 landed
- ac77add23b81 12.20 landed
- 970cd5c62b72 15.8 landed
- 51c1b4fd1579 14.13 landed
- 40e8ea9492df 13.16 landed
-
Disable all TLS session tickets
- ecbb1cd9b7ec 14.13 landed
- cc606afce1fb 16.4 landed
- 3df7f44a8c7c 17.0 landed
- 32121c077d69 12.20 landed
- 274bbced8538 18.0 landed
- 1f476bc75376 13.16 landed
- 118ec331bfb7 15.8 landed