-
Notifications
You must be signed in to change notification settings - Fork 18.4k
Open
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Description
What version of Go are you using (go version
)?
$ go version go version go1.20.3 darwin/arm64
What operating system and processor architecture are you using (go env
)?
go env
Output
$ go env GO111MODULE="" GOARCH="arm64" GOBIN="" GOCACHE="/Users/marten/Library/Caches/go-build" GOENV="/Users/marten/Library/Application Support/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="arm64" GOHOSTOS="darwin" GOINSECURE="" GOMODCACHE="/Users/marten/src/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="darwin" GOPATH="/Users/marten/src/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/Users/marten/bin/go1.20ex" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/Users/marten/bin/go1.20ex/pkg/tool/darwin_arm64" GOVCS="" GOVERSION="go1.20.3" GCCGO="gccgo" AR="ar" CC="clang" CXX="clang++" CGO_ENABLED="1" GOMOD="/dev/null" GOWORK="" CGO_CFLAGS="-O2 -g" CGO_CPPFLAGS="" CGO_CXXFLAGS="-O2 -g" CGO_FFLAGS="-O2 -g" CGO_LDFLAGS="-O2 -g" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/q0/b5ynf00142l7bl9sp8y098zr0000gn/T/go-build2554136632=/tmp/go-build -gno-record-gcc-switches -fno-common"
Does this issue reproduce with the latest release?
Yes
What did you do?
I resumed multiple TLS session to the same server (without saving the session ticket issued on the first resumed connection).
What did you expect to see?
I expected the ticket to not be reused. RFC 8446 Appendix C.4 says:
Clients SHOULD NOT reuse a ticket for multiple connections. Reuse of a ticket allows passive observers to correlate different connections.
While it's just a SHOULD NOT and not a MUST NOT, is there any good reason to deviate from the advice given in the RFC?
What did you see instead?
Session tickets are only removed when the handshake fails or when either the server certificate or the session ticket has expired.
Metadata
Metadata
Assignees
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.