New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable the use of session tickets on TLSv1.2 by default #1970
Conversation
Since currently session resumption is not supported by urllib3, there is no reason to request tickets from the server. It takes up extra bytes in transit (~200 bytes), and raises some minor security concerns. See also: https://blog.filippo.io/we-need-to-talk-about-session-tickets/
Codecov Report
@@ Coverage Diff @@
## master #1970 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 24 24
Lines 2187 2189 +2
=========================================
+ Hits 2187 2189 +2
Continue to review full report at Codecov.
|
This looks like a flaky test case to me? I don't see how my change would affect this TC. |
Our CI is a bit flaky sometimes :) might not have been caused by your change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may not say so in the Python documentation, but according to OpenSSL OP_NO_TICKET
is meant for server-side sockets only?
https://www.openssl.org/docs/man1.1.1/man3/SSL_set_options.html
So I confirmed in Wireshark that for TLS 1.2 specifically setting |
Practically speaking it wouldn't make sense for it to be server-side only, so it's probably a documentation issue in openssl. As per the RFC detailing tickets for TLS 1.2, the client is the first party to indicate whether they support tickets, by including the empty extension. So it makes sense that we should be able to tell openssl not to send that extension. |
Trying again for the TCs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me now, thanks for putting this together!
See #1886 and #1898
Hopefully we can add support for resumption, but until then, this flag (NO_TICKET) has no reason to be off.