From 892636036a54a3f0df779b6558e943b97f9b30c5 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 19 Aug 2020 13:31:48 +0200 Subject: [PATCH] nts: explicitly disable session tickets Session tickets should never be enabled with the currect code on both clients and servers. Set the GNUTLS_NO_TICKETS flag when opening a TLS session in case this understanding is wrong, or it changes in future, to reduce the TLS attack surface. --- nts_ke_session.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nts_ke_session.c b/nts_ke_session.c index 45ebda8..d18e89d 100644 --- a/nts_ke_session.c +++ b/nts_ke_session.c @@ -217,7 +217,8 @@ create_tls_session(int server_mode, int sock_fd, const char *server_name, unsigned int flags; int r; - r = gnutls_init(&session, GNUTLS_NONBLOCK | (server_mode ? GNUTLS_SERVER : GNUTLS_CLIENT)); + r = gnutls_init(&session, GNUTLS_NONBLOCK | GNUTLS_NO_TICKETS | + (server_mode ? GNUTLS_SERVER : GNUTLS_CLIENT)); if (r < 0) { LOG(LOGS_ERR, "Could not %s TLS session : %s", "create", gnutls_strerror(r)); return NULL;