Hello, I have found that in TLS 1.3 mode nginx doesn't fully disable session tickets even with
session_tickets off; According to https://www.openssl.org/docs/man1.1.1/man3/SSL_get_options.html SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET); is not enough to disable session tickets. It only disables stateless tickets but preserves stateful ones. It can be easily verified with openssl s_client -connect localhost:443 Nginx still returns session tickets. To fully disable tickets SSL_CTX_set_num_tickets(conf->ssl.ctx, 0); should also be called. I am not sure on changes. Not sure if I fully understand your intentions on this nginx behaviour. Could you please review the proposed patch ?
session_tickets_off_tls_1_3.patch
Description: Binary data
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
