Avoid issuing multiple tickets with TLS 1.3

With the upcoming OpenSSL 1.1.1 release TLS 1.3 is supported, and
multiple tickets are issued for each full handshake, this is
counter-productive for SMTP, so we ask OpenSSL to mint just one
ticket.

postfix/src/tls/tls.h

@@ -107,6 +107,11 @@ extern const char *str_tls_level(int);
 #define TLS_method SSLv23_method
 #define TLS_client_method SSLv23_client_method
 #define TLS_server_method SSLv23_server_method
+#endif
+
+ /* Backwards compatibility with OpenSSL < 1.1.1 */
+#if OPENSSL_VERSION_NUMBER < 0x1010100fUL
+#define SSL_CTX_set_num_tickets(ctx, num) ((void)0)
 #endif
 
 /* SSL_CIPHER_get_name() got constified in 0.9.7g */

postfix/src/tls/tls_server.c

@@ -502,8 +502,22 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
 	    ticketable = 0;
 	}
     }
-    if (ticketable)
+    if (ticketable) {
 	SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb);
+        /*
+         * OpenSSL 1.1.1 introduces support for TLS 1.3, which can issue more
+         * than one ticket per handshake.  While this may be appropriate for
+         * communication between browsers and webservers, it is not terribly
+         * useful for MTAs, many of which other than Postfix don't do TLS
+         * session caching at all, and Postfix has no mechanism for storing
+         * multiple session tickets, if more than one sent, the second clobbers
+         * the first.  OpenSSL 1.1.1 servers default to issuing two tickets for
+         * non-resumption handshakes, we reduce this to one.  Our ticket
+         * decryption callback already (since 2.11) asks OpenSSL to avoid
+         * issuing new tickets when the presented ticket is re-usable.
+         */
+	SSL_CTX_set_num_tickets(server_ctx, 1);
+    }
 #endif
     if (!ticketable)
 	off |= SSL_OP_NO_TICKET;