Re: Getting SSL_SESSION remaining lifetime
On Thu, Sep 16, 2021 at 06:50:40PM +0200, Hubert Kario wrote: > On Thursday, 16 September 2021 17:59:48 CEST, Viktor Dukhovni wrote: > > The Internet does not solely consist of browser traffic from portable > > devices at wifi hotspots to taboo web sites. > > taboo web sites are not the only reason to expect privacy... Indeed, but there are also applications in which client "privacy" is both unavailable and undesirable. One size does not fit all. -- Viktor.
Re: Getting SSL_SESSION remaining lifetime
On Thursday, 16 September 2021 17:59:48 CEST, Viktor Dukhovni wrote: The Internet does not solely consist of browser traffic from portable devices at wifi hotspots to taboo web sites. taboo web sites are not the only reason to expect privacy... -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Re: Getting SSL_SESSION remaining lifetime
On Thu, Sep 16, 2021 at 04:11:49PM +0200, Hubert Kario wrote: > On Thursday, 16 September 2021 04:41:44 CEST, Jaya Muthiah wrote: > > > > I am trying to get the remaining lifetime of the ticket so that > > server can decide to renew ticket or not > > TLS 1.3 tickets are single use. If the ticket was used by a client, > and you expect it to make a connection in the future, server needs to > send a new one. This is wrong both in terms of specification and the extant OpenSSL implementation. The Postfix SMTP server arranges to accept multi-use tickets without reissuing replacement tickets when the original ticket is still good for reuse. Ticket reuse is well suited to the MTA-to-MTA use-case where "privacy" is not only a concern but in fact undesirable. MTAs often reject traffic from senders with no PTR records, generic PTR records, poor IP reputation, The Internet does not solely consist of browser traffic from portable devices at wifi hotspots to taboo web sites. -- Viktor.
Re: Getting SSL_SESSION remaining lifetime
On Thu, Sep 16, 2021 at 04:57:03PM +0200, Hubert Kario wrote: > On Thursday, 16 September 2021 16:28:47 CEST, Benjamin Kaduk wrote: > > On Thu, Sep 16, 2021 at 04:11:49PM +0200, Hubert Kario wrote: > > > On Thursday, 16 September 2021 04:41:44 CEST, Jaya Muthiah wrote: > > > > > > > > I am trying to get the remaining lifetime of the ticket so that server > > > > can decide to renew ticket or not > > > > > > TLS 1.3 tickets are single use. If the ticket was used by a client, and > > > you expect it to make a connection in the future, server needs to > > > send a new > > > one. > > > > Single-use tickets are only a protocol requirement when 0-RTT data is used. > > The OpenSSL implementation even allows the libssl-internal enforcement of > > single-use to be disabled (see SSL_OP_NO_ANTI_REPLAY at > > https://urldefense.com/v3/__https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html__;!!GjvTz_vk!GxR4URFTB0lwkM5nlYZdtn3DUdeaujsu1sHMYc_nRTUpkmLQP8-zz_b4HS_rcA$ > > ). > > OpenSSL as a client also has some measures to encourate single-use tickets, > > which I have a PR open to provide a knob to disable: > > https://urldefense.com/v3/__https://github.com/openssl/openssl/pull/16598__;!!GjvTz_vk!GxR4URFTB0lwkM5nlYZdtn3DUdeaujsu1sHMYc_nRTUpkmLQP8-zz_YPrcg6yw$ > > . > > They're single use not only because of replay but also because of privacy > reasons, as reuse of a ticket indicates that the same client did send it. Yes. But the protocol itself only encourages single-use for privacy reasons. The protocol does not *require* single-use in that case. -Ben
Re: Getting SSL_SESSION remaining lifetime
On Thursday, 16 September 2021 16:28:47 CEST, Benjamin Kaduk wrote: On Thu, Sep 16, 2021 at 04:11:49PM +0200, Hubert Kario wrote: On Thursday, 16 September 2021 04:41:44 CEST, Jaya Muthiah wrote: I am trying to get the remaining lifetime of the ticket so that server can decide to renew ticket or not TLS 1.3 tickets are single use. If the ticket was used by a client, and you expect it to make a connection in the future, server needs to send a new one. Single-use tickets are only a protocol requirement when 0-RTT data is used. The OpenSSL implementation even allows the libssl-internal enforcement of single-use to be disabled (see SSL_OP_NO_ANTI_REPLAY at https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html). OpenSSL as a client also has some measures to encourate single-use tickets, which I have a PR open to provide a knob to disable: https://github.com/openssl/openssl/pull/16598 . They're single use not only because of replay but also because of privacy reasons, as reuse of a ticket indicates that the same client did send it. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Re: Getting SSL_SESSION remaining lifetime
On Thu, Sep 16, 2021 at 04:11:49PM +0200, Hubert Kario wrote: > On Thursday, 16 September 2021 04:41:44 CEST, Jaya Muthiah wrote: > > > > I am trying to get the remaining lifetime of the ticket so that server > > can decide to renew ticket or not > > TLS 1.3 tickets are single use. If the ticket was used by a client, and > you expect it to make a connection in the future, server needs to send a new > one. Single-use tickets are only a protocol requirement when 0-RTT data is used. The OpenSSL implementation even allows the libssl-internal enforcement of single-use to be disabled (see SSL_OP_NO_ANTI_REPLAY at https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html). OpenSSL as a client also has some measures to encourate single-use tickets, which I have a PR open to provide a knob to disable: https://github.com/openssl/openssl/pull/16598 . -Ben
Re: Getting SSL_SESSION remaining lifetime
On Thursday, 16 September 2021 04:41:44 CEST, Jaya Muthiah wrote: I am trying to get the remaining lifetime of the ticket so that server can decide to renew ticket or not TLS 1.3 tickets are single use. If the ticket was used by a client, and you expect it to make a connection in the future, server needs to send a new one. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Re: Getting SSL_SESSION remaining lifetime
On Thu, Sep 16, 2021 at 08:11:44AM +0530, Jaya Muthiah wrote: > I am trying to get the remaining lifetime of the ticket so that server can > decide to renew ticket or not In Postfix, I rotate ticket keys every hour, and sessions are valid for two hours. For the first hour when they were issued by the current ticket the ticket is accepted without forcing a new ticket to be generated. Durign the second hour when accepting tickets signed by the previous key, a fresh ticket is generated. I don't rely on OpenSSL to tell me the ticket age, it is implied by the key id. Since ticket keys should be rotated anyway, something like that might also work for you. What I haven't yet built is a mechanism to rotate keys consistely across multiple machines in a load-balancer pool. That would be generally useful. -- Viktor.
Getting SSL_SESSION remaining lifetime
I am trying to get the remaining lifetime of the ticket so that server can decide to renew ticket or not I have defined callback like this, and it is working. However, the SSL_SESSION_get_ticket_lifetime_hint() always returns zero. SSL_CTX_set_session_ticket_cb(ctx->ctx, ticket_gen_cb, ticket_dec_cb, NULL); SSL_TICKET_RETURN ticket_dec_cb(SSL *s, SSL_SESSION *ss, const unsigned char *keyname, size_t keyname_len, SSL_TICKET_STATUS status, void *arg) { SSL_TICKET_RETURN res; int lifetime = 0; switch (status) { case SSL_TICKET_EMPTY: case SSL_TICKET_NO_DECRYPT: res = SSL_TICKET_RETURN_IGNORE_RENEW; break; case SSL_TICKET_SUCCESS: //get_session_ticket_appdata(ssl, ssl_session); res = SSL_TICKET_RETURN_USE; break; case SSL_TICKET_SUCCESS_RENEW: lifetime = SSL_SESSION_get_ticket_lifetime_hint(ss); //res = SSL_TICKET_RETURN_USE_RENEW; // generate new ticket res = SSL_TICKET_RETURN_USE; // reuse old break; default: res = SSL_TICKET_RETURN_IGNORE; } return res; } Is this the right way? Can someone help please?