Gitweb:
https://git.exim.org/exim.git/commitdiff/09fa60df6e9929364a2c0830eff1e0f4f27ba095
Commit: 09fa60df6e9929364a2c0830eff1e0f4f27ba095
Parent: 3c1f3b85aa4139ba062268ca958bab0dd0d64140
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Dec 30 22:46:25 2018 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Dec 30 22:54:23 2018 +0000
OpenSSL: send no TLS1.3 session tickets
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/tls-openssl.c | 5 +++++
2 files changed, 9 insertions(+)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index d24b44c..75427d6 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -11,6 +11,10 @@ Exim version 4.93
JH/01 OpenSSL: With debug enabled output keying information sufficient, server
side, to decode a TLS 1.3 packet capture.
+JH/02 OpenSSL: suppress the sending of (stateful) TLS1.3 session tickets.
+ Previously the default library behaviour applied, sending two, each in
+ its own TCP segment.
+
Exim version 4.92
-----------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 6920220..169cf56 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -94,6 +94,7 @@ change this guard and punt the issue for a while longer. */
#ifndef LIBRESSL_VERSION_NUMBER
# if OPENSSL_VERSION_NUMBER >= 0x010101000L
# define OPENSSL_HAVE_KEYLOG_CB
+# define OPENSSL_HAVE_NUM_TICKETS
# endif
#endif
@@ -1809,6 +1810,10 @@ if (init_options)
else
DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
+#ifdef OPENSSL_HAVE_NUM_TICKETS
+SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
+#endif
+
/* We'd like to disable session cache unconditionally, but foolish Outlook
Express clients then give up the first TLS connection and make a second one
(which works). Only when there is an IMAP service on the same machine.
