Add sni.yaml session ticket overrides (#13006)#13044
Conversation
Add ssl_ticket_enabled and ssl_ticket_number as sni.yaml overrides, apply them during SNI handling so they affect TLS 1.2 resumption and TLS 1.3 ticket issuance, and add unit and AuTest coverage plus docs and sample config updates. Fixes apache#12953 (cherry picked from commit 8d75849)
| #endif | ||
| if (!ssl_apply_sni_session_ticket_properties(ssl)) { | ||
| retval = 0; | ||
| } |
There was a problem hiding this comment.
This is where I was confused trying to resolve conflicts. The old code calls set_tlsext_ticket_key... but the new code path doesn't seem to call that. So I worry this isn't compatible, but maybe the same thing is accomplished?
There was a problem hiding this comment.
Thanks for checking into this. The logic has changed slightly, I think for the better. Now the callback is set (along with other callbacks) in the SSLMultiCertConfigLoader::init_server_ssl_ctx below. You can see the ssl_context_enable_ticket_callback in that function further down in this file in this patch. Currently line 1347.
I'm honestly not sure why the callback was set here in the first place. If you look at the other stuff in this ssl_cert_callback, it's all cert related, not "add a callback" functionality. It had to go out of its way to reach into the SSL and get the SSL_CTX to set the callback on it. init_server_ssl_ctx is the appropriate place to configure the ticket callback.
This discussion also applies to the master patch, btw. (In case that's helpful.)
There was a problem hiding this comment.
Thank you for the extra info!
2 participants
Add ssl_ticket_enabled and ssl_ticket_number as sni.yaml overrides, apply them during SNI handling so they affect TLS 1.2 resumption and TLS 1.3 ticket issuance, and add unit and AuTest coverage plus docs and sample config updates.
Fixes #12953
(cherry picked from commit 8d75849)