From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Mon, 2 May 2022 12:57:44 +0000 (+0300)
Subject: OpenSSL: Limit the number of TLS 1.3 session tickets to one
X-Git-Tag: hostap_2_11~1966
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81e24988895a58fe2c664729dcd6bb2b6de40a99;p=thirdparty%2Fhostap.git

OpenSSL: Limit the number of TLS 1.3 session tickets to one

One session ticket is sufficient for EAP-TLS, so do not bother
generating more than a single session ticket.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 564f45b6f..f992f8bf9 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1106,6 +1106,10 @@ void * tls_init(const struct tls_config *conf)
 		SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_SERVER);
 		SSL_CTX_set_timeout(ssl, data->tls_session_lifetime);
 		SSL_CTX_sess_set_remove_cb(ssl, remove_session_cb);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+		/* One session ticket is sufficient for EAP-TLS */
+		SSL_CTX_set_num_tickets(ssl, 1);
+#endif
 	} else {
 		SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_OFF);
 	}