SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); has no effect with TLS 1.3

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); has no effect with TLS 1.3

Arran Cudbard-Bell
As per the subject line:

        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)

does not seem to disable generation of stateless tickets with TLS 1.3:

        SSL_CTX_set_num_tickets(ctx, 0);

is also required to prevent the tickets being generated.

There's no mention of this additional call on the SSL_CTX_set_session_cache_mode pages (but is documented elsewhere).

It really seems like SSL_SESS_CACHE_OFF should also disable TLS1.3 session tickets if the intent is for TLS 1.3 to mostly be a drop in replacement for TLS <= 1.2.  A user upgrades OpenSSL library and suddenly session resumption enabled where it wasn't before... that doesn't seem right.

In our case this broke our session_resumption control toggle, where 'session_resumption = no' prevented our EAP server implementation from presenting tickets with TLS <= 1.2 but still allowed them if TLS 1.3 was negotiated.

Disabling session resumption is more important with EAP methods like EAP-TTLS and EAP-PEAP because it controls whether phase 2 runs or not - phase 2 being where the actual credential validation happens.

This was tested with current OpensSL master HEAD.  Can test with the 1.1.* branch if that'd help.

-Arran
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); has no effect with TLS 1.3

Matt Caswell-2


On 23/01/2019 13:01, Arran Cudbard-Bell wrote:
> As per the subject line:
>
> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)
>
> does not seem to disable generation of stateless tickets with TLS 1.3:

No - nor does it disable *stateless* tickets with TLSv1.2. The purpose of the
above call is to disable session caching on the server. Since the whole point
about stateless tickets is to not require caching this has no effect on
stateless tickets. Therefore if SSL_OP_NO_TICKET has not been set then session
tickets will still be generated in TLSv1.2 even with the cache mode set to
SSL_SESS_CACHE_OFF.

However if you set the above and *also* set SSL_OP_NO_TICKET then you have
disabled both generation of stateless tickets and the creation of stateful
sessions in TLSv1.2, i.e. no sessions will be created at all in TLSv1.2

TLSv1.3 sessions are slightly different. There is no distinction at the protocol
level between stateful session ids and stateless tickets. Instead, when sessions
are created, they are always in the form of tickets. OpenSSL supports both
stateful and stateless tickets in TLSv1.3 (with the former consisting of a
session id wrapped up in a ticket). In order to maximise compatibility between
TLSv1.3 and TLSv1.2, SSL_OP_NO_TICKET in TLSv1.3 disables *stateless* tickets
only (not stateful ones).

So we might expect that if we disable the session cache (using
SSL_SESS_CACHE_OFF) *and* disable stateless ticket generation using
SSL_OP_NO_TICKET then no tickets at all would be generated in TLSv1.3. On
testing this that doesn't seem to be the case. This appears to be an OpenSSL bug
- and I assume that is the scenario you are hitting.

Interestingly I note that the tickets generated in such a case are useless. If
you attempt to resume using them then it doesn't work. So if your intention is
simply to prevent resumption at all costs, then you have achieved it already (in
spite of the bug that creates the tickets).

I created a new github issue to track this problem:

https://github.com/openssl/openssl/issues/8077

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); has no effect with TLS 1.3

Arran Cudbard-Bell


> On Jan 23, 2019, at 9:57 PM, Matt Caswell <[hidden email]> wrote:
>
>
>
> On 23/01/2019 13:01, Arran Cudbard-Bell wrote:
>> As per the subject line:
>>
>> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)
>>
>> does not seem to disable generation of stateless tickets with TLS 1.3:
>
> No - nor does it disable *stateless* tickets with TLSv1.2. The purpose of the
> above call is to disable session caching on the server. Since the whole point
> about stateless tickets is to not require caching this has no effect on
> stateless tickets.

Apologies, I meant stateful tickets. SSL_OP_NO_TICKET was already set to disable stateless tickets.

> So we might expect that if we disable the session cache (using
> SSL_SESS_CACHE_OFF) *and* disable stateless ticket generation using
> SSL_OP_NO_TICKET then no tickets at all would be generated in TLSv1.3. On
> testing this that doesn't seem to be the case. This appears to be an OpenSSL bug
> - and I assume that is the scenario you are hitting.

OK, thanks for confirming.

> Interestingly I note that the tickets generated in such a case are useless. If
> you attempt to resume using them then it doesn't work. So if your intention is
> simply to prevent resumption at all costs, then you have achieved it already (in
> spite of the bug that creates the tickets).

That is interesting indeed, and good to know.

> I created a new github issue to track this problem:

Appreciated.

-Arran
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users