tlscontext: add workaround for a TLS 1.3 bug to prevent data loss#3082
tlscontext: add workaround for a TLS 1.3 bug to prevent data loss#3082lbudai merged 1 commit intosyslog-ng:masterfrom
Conversation
This is a workaround for an OpenSSL TLS 1.3 bug that results in data loss when one-way protocols are used and a connection is closed by the client right after sending data. "TLS 1.3 session tickets makes it impossible to reliably implement communication patterns where the server never sends application-level data." - openssl/openssl#10880 - openssl/openssl#7948 Signed-off-by: László Várady <laszlo.varady@protonmail.com>
|
@kira-syslogng do perftest |
|
Build SUCCESS |
|
Kira-performance-test: Build SUCCESS |
|
I am not understanding the context entirely, just coming from the man page: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_num_tickets.html
Should this mean we need to have a |
|
Never mind, probably not necessary. If tickets disabled, resumption cannot happen, therefore it does not matter how many tickets we send after resumption. |
|
Do we need to take care of loggen too? Inside |
|
Ok loggen is client only, so not affected. |
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
This is a workaround for an OpenSSL TLS 1.3 bug that results in data loss when one-way protocols are used and a connection is closed by the client right after sending data.
"TLS 1.3 session tickets make it impossible to reliably implement communication patterns where the server never sends application-level data."
SSL_CTX_set_num_tickets(0)disables TLS 1.3 session tickets (no session ticket will be sent to the client after a full handshake). Tickets are used for session resumption.An alternative workaround would be doing a bidirectional SSL shutdown (finishing #2811), but syslog-ng is usually used together with other applications that may not take the bidi shutdown step (it is not mandatory, not even in RFC5425).