Skip to content

Commit

Permalink
Disable session tickets to work around an OpenSSL/TLS1.3 bug
Browse files Browse the repository at this point in the history
  • Loading branch information
@jedisct1
jedisct1 committed Oct 13, 2021
1 parent 75f3f14 commit fa21200
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions src/tls.c
View file
Expand Up @@ -326,6 +326,7 @@ static void tls_init_options(void)
# ifdef SSL_OP_NO_TLSv1_3
SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_3);
# endif
SSL_CTX_set_num_tickets(tls_ctx, 0);
if (tlsciphersuite != NULL) {
if (SSL_CTX_set_cipher_list(tls_ctx, tlsciphersuite) != 1) {
logfile(LOG_ERR, MSG_TLS_CIPHER_FAILED, tlsciphersuite);
Expand Down

8 comments on commit fa21200

@novafire99
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This commit causes compile error on Debian 9, removing it compiles ok. Error below:

libpureftpd.a(libpureftpd_a-tls.o): In function tls_init_options': /pure-ftpd-1.0.50/src/tls.c:329: undefined reference to SSL_CTX_set_num_tickets'
collect2: error: ld returned 1 exit status
Makefile:830: recipe for target 'pure-ftpd' failed
make[2]: *** [pure-ftpd] Error 1

OpenSSL 1.1.0l 10 Sep 2019

@istiak101
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@novafire99 SSL_CTX_set_num_tickets() were added in OpenSSL 1.1.1

@novafire99
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the reply. Would be nice if there was some kind of conditional compile to detect if it has an older version and exclude the call. There are still many OS's that have 1.1.0 that are not eol yet. And it would be good so that systems can be kept updated till then, even if they won't be able to use newer protocols.

@istiak101
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@novafire99

51e9dfa

@novafire99
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awsome, thank you. Have a great day.

@Vringe
Copy link

@Vringe Vringe commented on fa21200 Feb 3, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jedisct1 We are currently upgrading our infrastructure which also includes a pure-ftpd update to 1.0.50.
Since then, we have a lot of customers complaining about a popup showing up in FileZilla Client saying that the connection is insecure because the server does not support TLS session resumption. This is confusing for a lot of customers.

As far as I understand, TLS session resumption is completely disabled with this commit?
Is there maybe a less-radical way of working around this issue?

It seems like that other projects like proftpd for example are using different approaches to solve that problem.

@CyberCr33p
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Vringe same here. We use PureFTPd 1.0.50 with OpenSSL 1.1.1k. The last versions of Filezilla show this warning.

@Vringe
Copy link

@Vringe Vringe commented on fa21200 Feb 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the record: This has been fixed in commit 9f78b98
Can confirm that it works. Thank you :)

Please sign in to comment.