From 09fa60df6e9929364a2c0830eff1e0f4f27ba095 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 30 Dec 2018 22:46:25 +0000 Subject: [PATCH] OpenSSL: send no TLS1.3 session tickets --- doc/doc-txt/ChangeLog | 4 ++++ src/src/tls-openssl.c | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d24b44c94..75427d68e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -11,6 +11,10 @@ Exim version 4.93 JH/01 OpenSSL: With debug enabled output keying information sufficient, server side, to decode a TLS 1.3 packet capture. +JH/02 OpenSSL: suppress the sending of (stateful) TLS1.3 session tickets. + Previously the default library behaviour applied, sending two, each in + its own TCP segment. + Exim version 4.92 ----------------- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 692022063..169cf564f 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -94,6 +94,7 @@ change this guard and punt the issue for a while longer. */ #ifndef LIBRESSL_VERSION_NUMBER # if OPENSSL_VERSION_NUMBER >= 0x010101000L # define OPENSSL_HAVE_KEYLOG_CB +# define OPENSSL_HAVE_NUM_TICKETS # endif #endif @@ -1809,6 +1810,10 @@ if (init_options) else DEBUG(D_tls) debug_printf("no SSL CTX options to set\n"); +#ifdef OPENSSL_HAVE_NUM_TICKETS +SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */ +#endif + /* We'd like to disable session cache unconditionally, but foolish Outlook Express clients then give up the first TLS connection and make a second one (which works). Only when there is an IMAP service on the same machine. -- 2.30.2