From a894f05493db801281d72b5bbf98d75498f249cf Mon Sep 17 00:00:00 2001 From: Attila Szakacs Date: Tue, 28 Jul 2020 11:32:26 +0200 Subject: [PATCH] tlscontext: add workaround for a TLS 1.3 bug to prevent data loss MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a workaround for an OpenSSL TLS 1.3 bug that results in data loss when one-way protocols are used and a connection is closed by the client right after sending data. "TLS 1.3 session tickets makes it impossible to reliably implement communication patterns where the server never sends application-level data." - https://github.com/openssl/openssl/issues/10880 - https://github.com/openssl/openssl/issues/7948 Backported from OSE: 28c8013ca35be06387cf692c9ba1baee6af33511 Signed-off-by: László Várady Signed-off-by: Attila Szakacs --- lib/tlscontext.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/tlscontext.c b/lib/tlscontext.c index ca76677c..f6e1568b 100644 --- a/lib/tlscontext.c +++ b/lib/tlscontext.c @@ -453,6 +453,20 @@ tls_context_setup_dh(TLSContext *self) return ctx_dh_success; } +static void +tls_context_setup_session_tickets(TLSContext *self) +{ + /* This is a workaround for an OpenSSL TLS 1.3 bug that results in data loss + * when one-way protocols are used and a connection is closed by the client + * right after sending data. + * + * Remove this call after the bug has been fixed: + * - https://github.com/openssl/openssl/issues/10880 + * - https://github.com/openssl/openssl/issues/7948 + */ + SSL_CTX_set_num_tickets(self->ssl_ctx, 0); +} + static gboolean tls_context_setup_context(TLSContext *self, GlobalConfig *cfg) { @@ -500,6 +514,9 @@ tls_context_setup_context(TLSContext *self, GlobalConfig *cfg) X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(self->ssl_ctx), verify_flags); + if (self->mode == TM_SERVER) + tls_context_setup_session_tickets(self); + tls_context_setup_verify_mode(self); SSL_CTX_set_options(self->ssl_ctx, SSL_OP_NO_SSLv2);