From 38c2679776add85b9818ac01cd3e8ccebb2c9993 Mon Sep 17 00:00:00 2001
From: PleasantMachine9 <65126927+PleasantMachine9@users.noreply.github.com>
Date: Sat, 19 Sep 2020 00:13:27 +0200
Subject: [PATCH 1/3] disable the use of session tickets on TLSv1.2 by default

Since currently session resumption is not supported by urllib3,
there is no reason to request tickets from the server.
It takes up extra bytes in transit (~200 bytes), and raises
some minor security concerns.

See also: https://blog.filippo.io/we-need-to-talk-about-session-tickets/
---
 src/urllib3/util/ssl_.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
index 5d84409118..2f863acd30 100644
--- a/src/urllib3/util/ssl_.py
+++ b/src/urllib3/util/ssl_.py
@@ -58,10 +58,11 @@ def _const_compare_digest_backport(a, b):
 
 
 try:
-    from ssl import OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION
+    from ssl import OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION, OP_NO_TICKET
 except ImportError:
     OP_NO_SSLv2, OP_NO_SSLv3 = 0x1000000, 0x2000000
     OP_NO_COMPRESSION = 0x20000
+    OP_NO_TICKET = 0x4000
 
 
 # A secure default.
@@ -273,6 +274,11 @@ def create_urllib3_context(
         # Disable compression to prevent CRIME attacks for OpenSSL 1.0+
         # (issue #309)
         options |= OP_NO_COMPRESSION
+        # TLSv1.2 only. Unless set explicitly, do not request tickets.
+        # This may save some bandwidth on wire, and although the ticket is encrypted,
+        # there is a risk associated with it being on wire,
+        # if the server is not rotating its ticketing keys properly.
+        options |= OP_NO_TICKET
 
     context.options |= options
 

From 69e82e3e5908eb6009d5f156e19d7d6b70580beb Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <sethmichaellarson@gmail.com>
Date: Thu, 24 Sep 2020 21:37:41 -0500
Subject: [PATCH 2/3] Update ssl_.py

---
 src/urllib3/util/ssl_.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
index 2f863acd30..a65febef9f 100644
--- a/src/urllib3/util/ssl_.py
+++ b/src/urllib3/util/ssl_.py
@@ -58,10 +58,15 @@ def _const_compare_digest_backport(a, b):
 
 
 try:
-    from ssl import OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION, OP_NO_TICKET
+    from ssl import OP_NO_SSLv2, OP_NO_SSLv3, OP_NO_COMPRESSION
 except ImportError:
     OP_NO_SSLv2, OP_NO_SSLv3 = 0x1000000, 0x2000000
     OP_NO_COMPRESSION = 0x20000
+
+
+try:  # OP_NO_TICKET was added in Python 3.6
+    from ssl import OP_NO_TICKET
+except ImportError:
     OP_NO_TICKET = 0x4000
 
 

From 1bda47f52e32348f2b5306565470b873e9e21181 Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <sethmichaellarson@gmail.com>
Date: Thu, 24 Sep 2020 21:39:50 -0500
Subject: [PATCH 3/3] Update ssl_.py

---
 src/urllib3/util/ssl_.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/urllib3/util/ssl_.py b/src/urllib3/util/ssl_.py
index a65febef9f..70982a58c1 100644
--- a/src/urllib3/util/ssl_.py
+++ b/src/urllib3/util/ssl_.py
@@ -256,7 +256,7 @@ def create_urllib3_context(
         ``ssl.CERT_REQUIRED``.
     :param options:
         Specific OpenSSL options. These default to ``ssl.OP_NO_SSLv2``,
-        ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``.
+        ``ssl.OP_NO_SSLv3``, ``ssl.OP_NO_COMPRESSION``, and ``ssl.OP_NO_TICKET``.
     :param ciphers:
         Which cipher suites to allow the server to select.
     :returns: