Hello! On Mon, Jan 24, 2022 at 03:35:18PM +0300, Sergey Kandaurov wrote:
> > On 21 Jan 2022, at 06:57, Maxim Dounin <[email protected]> wrote: > > > > # HG changeset patch > > # User Maxim Dounin <[email protected]> > > # Date 1642737110 -10800 > > # Fri Jan 21 06:51:50 2022 +0300 > > # Node ID cff51689a4a182cb11cba2eb9303e2bc21815432 > > # Parent 96ae8e57b3dd1b10f29d3060bbad93b7f9357b92 > > SSL: always renewing tickets with TLSv1.3 (ticket #1892). > > > > Chrome only use TLS session tickets once with TLS 1.3, likely following > > uses ? Fixed, thnx. > > RFC 8446 Appendix C.4 recommendation. > > Besides that, there's a study [1] that discusses 3rd-party > tracking via session resumption. Although improvements > in TLS 1.3 that provide different PSK identities in session > tickets are used to protect against correlation by a passive > observer, the study suggests to completely deactivate TLS 1.3 > session resumption for privacy reasons. Sure, but this is certainly unrelated to Chrome behaviour, since it does accept and use new session tickets, thus allowing infinite tracking. > This might be also due to 0-RTT Anti-Replay guidance in case > the selection from available tickets is agnostic to 0-RTT. > Practical analysis in [2] demonstrates that Chrome(ium) indeed > selects among tickets never used before. It doesn't make clear > separation, though, whether this depends on sending 0-RTT. The particular behaviour was observed with 0-RTT disabled on the server ("ssl_early_data off;", the default), so browser knows in advance that 0-RTT is not going to be used. While it might be the reason, this would be suboptimal behaviour. > [1] https://arxiv.org/abs/1810.07304 > [2] "A Survey of TLS 1.3 0-RTT Usage", Mihael Liskij > > > With OpenSSL, this works fine with > > built-in session tickets, since these are explicitly renewed in case of > > TLS 1.3 on each session reuse, but results in only two connections being > > reused after an initial handshake when using ssl_session_ticket_key. > > > > Fix is to always renew TLS session tickets in case of TLS 1.3 when using > > ssl_session_ticket_key, similarly to how it is done by OpenSSL internally. > > > > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c > > --- a/src/event/ngx_event_openssl.c > > +++ b/src/event/ngx_event_openssl.c > > @@ -4448,7 +4448,21 @@ ngx_ssl_session_ticket_key_callback(ngx_ > > return -1; > > } > > > > - return (i == 0) ? 1 : 2 /* renew */; > > + /* renew if TLSv1.3 */ > > + > > +#ifdef TLS1_3_VERSION > > + if (SSL_version(ssl_conn) == TLS1_3_VERSION) { > > + return 2; > > + } > > +#endif > > + > > + /* renew if non-default key */ > > + > > + if (i != 0) { > > + return 2; > > + } > > + > > + return 1; > > } > > } > > > > Looks good. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
