From b72af0bdf1d0b8b3b449d16f98b525514f444df5 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Wed, 15 Aug 2018 00:53:59 -0400 Subject: [PATCH] Avoid issuing multiple tickets with TLS 1.3 With the upcoming OpenSSL 1.1.1 release TLS 1.3 is supported, and multiple tickets are issued for each full handshake, this is counter-productive for SMTP, so we ask OpenSSL to mint just one ticket. --- postfix/src/tls/tls.h | 5 +++++ postfix/src/tls/tls_server.c | 16 +++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index a9c4d7885..e83ff091d 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -107,6 +107,11 @@ extern const char *str_tls_level(int); #define TLS_method SSLv23_method #define TLS_client_method SSLv23_client_method #define TLS_server_method SSLv23_server_method +#endif + + /* Backwards compatibility with OpenSSL < 1.1.1 */ +#if OPENSSL_VERSION_NUMBER < 0x1010100fUL +#define SSL_CTX_set_num_tickets(ctx, num) ((void)0) #endif /* SSL_CIPHER_get_name() got constified in 0.9.7g */ diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 84426a639..19abedb96 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -502,8 +502,22 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) ticketable = 0; } } - if (ticketable) + if (ticketable) { SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb); + /* + * OpenSSL 1.1.1 introduces support for TLS 1.3, which can issue more + * than one ticket per handshake. While this may be appropriate for + * communication between browsers and webservers, it is not terribly + * useful for MTAs, many of which other than Postfix don't do TLS + * session caching at all, and Postfix has no mechanism for storing + * multiple session tickets, if more than one sent, the second clobbers + * the first. OpenSSL 1.1.1 servers default to issuing two tickets for + * non-resumption handshakes, we reduce this to one. Our ticket + * decryption callback already (since 2.11) asks OpenSSL to avoid + * issuing new tickets when the presented ticket is re-usable. + */ + SSL_CTX_set_num_tickets(server_ctx, 1); + } #endif if (!ticketable) off |= SSL_OP_NO_TICKET;