From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 8 Oct 2019 14:14:04 +0000 (+0200)
Subject: dnsdist: Really disable TLS tickets for TLS 1.3 when asked
X-Git-Tag: dnsdist-1.4.0-rc4~32^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b3bc06222badbb84213f0117963af70e50124b12;p=pdns

dnsdist: Really disable TLS tickets for TLS 1.3 when asked
---

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 2f3cd457e..e2480e078 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -930,7 +930,13 @@ static std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> getTLSContext(DOHFrontend& df
     SSL_OP_SINGLE_ECDH_USE;
 
   if (!df.d_enableTickets || df.d_numberOfTicketsKeys == 0) {
+    /* for TLS 1.3 this means no stateless tickets, but stateful tickets might still be issued,
+       which is something we don't want. */
     sslOptions |= SSL_OP_NO_TICKET;
+    /* really disable all tickets */
+#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
+    SSL_CTX_set_num_tickets(ctx.get(), 0);
+#endif /* HAVE_SSL_CTX_SET_NUM_TICKETS */
   }
   else {
     df.d_ticketKeys = std::unique_ptr<OpenSSLTLSTicketKeysRing>(new OpenSSLTLSTicketKeysRing(df.d_numberOfTicketsKeys));
diff --git a/pdns/dnsdistdist/m4/dnsdist_with_libssl.m4 b/pdns/dnsdistdist/m4/dnsdist_with_libssl.m4
index 730b33c7f..ca8885ce8 100644
--- a/pdns/dnsdistdist/m4/dnsdist_with_libssl.m4
+++ b/pdns/dnsdistdist/m4/dnsdist_with_libssl.m4
@@ -17,7 +17,7 @@ AC_DEFUN([DNSDIST_WITH_LIBSSL], [
         save_LIBS=$LIBS
         CFLAGS="$LIBSSL_CFLAGS $CFLAGS"
         LIBS="$LIBSSL_LIBS -lcrypto $LIBS"
-        AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites OCSP_basic_sign])
+        AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites OCSP_basic_sign SSL_CTX_set_num_tickets])
         CFLAGS=$save_CFLAGS
         LIBS=$save_LIBS
 
diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc
index b3cf999ce..40d41698e 100644
--- a/pdns/dnsdistdist/tcpiohandler.cc
+++ b/pdns/dnsdistdist/tcpiohandler.cc
@@ -243,7 +243,13 @@ public:
     }
 
     if (!fe.d_enableTickets || fe.d_numberOfTicketsKeys == 0) {
+      /* for TLS 1.3 this means no stateless tickets, but stateful tickets might still be issued,
+         which is something we don't want. */
       sslOptions |= SSL_OP_NO_TICKET;
+      /* really disable all tickets */
+#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
+      SSL_CTX_set_num_tickets(d_tlsCtx.get(), 0);
+#endif /* HAVE_SSL_CTX_SET_NUM_TICKETS */
     }
     else {
       /* use our own ticket keys handler so we can rotate them */