]> git.ipfire.org Git - thirdparty/chrony.git/commitdiff
projects / thirdparty / chrony.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4cf6b29)
nts: explicitly disable session tickets
authorMiroslav Lichvar <mlichvar@redhat.com>
Wed, 19 Aug 2020 11:31:48 +0000 (13:31 +0200)
committerMiroslav Lichvar <mlichvar@redhat.com>
Thu, 20 Aug 2020 14:19:13 +0000 (16:19 +0200)
Session tickets should never be enabled with the currect code on both
clients and servers. Set the GNUTLS_NO_TICKETS flag when opening a TLS
session in case this understanding is wrong, or it changes in future, to
reduce the TLS attack surface.

nts_ke_session.c patch | blob | blame | history

diff --git a/nts_ke_session.c b/nts_ke_session.c
index 45ebda89c691bfdb0e6ac73163243848176224ed..d18e89df874325132a02851a3caf5baeb517a382 100644 (file)
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -217,7 +217,8 @@ create_tls_session(int server_mode, int sock_fd, const char *server_name,
   unsigned int flags;
   int r;
 
-  r = gnutls_init(&session, GNUTLS_NONBLOCK | (server_mode ? GNUTLS_SERVER : GNUTLS_CLIENT));
+  r = gnutls_init(&session, GNUTLS_NONBLOCK | GNUTLS_NO_TICKETS |
+                  (server_mode ? GNUTLS_SERVER : GNUTLS_CLIENT));
   if (r < 0) {
     LOG(LOGS_ERR, "Could not %s TLS session : %s", "create", gnutls_strerror(r));
     return NULL;
Mirror of https://git.tuxfamily.org/chrony/chrony.git