From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 19 Aug 2020 11:31:48 +0000 (+0200)
Subject: nts: explicitly disable session tickets
X-Git-Tag: 4.0-pre3~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=892636036a54a3f0df779b6558e943b97f9b30c5;p=thirdparty%2Fchrony.git

nts: explicitly disable session tickets

Session tickets should never be enabled with the currect code on both
clients and servers. Set the GNUTLS_NO_TICKETS flag when opening a TLS
session in case this understanding is wrong, or it changes in future, to
reduce the TLS attack surface.
---

diff --git a/nts_ke_session.c b/nts_ke_session.c
index 45ebda89..d18e89df 100644
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -217,7 +217,8 @@ create_tls_session(int server_mode, int sock_fd, const char *server_name,
   unsigned int flags;
   int r;
 
-  r = gnutls_init(&session, GNUTLS_NONBLOCK | (server_mode ? GNUTLS_SERVER : GNUTLS_CLIENT));
+  r = gnutls_init(&session, GNUTLS_NONBLOCK | GNUTLS_NO_TICKETS |
+                  (server_mode ? GNUTLS_SERVER : GNUTLS_CLIENT));
   if (r < 0) {
     LOG(LOGS_ERR, "Could not %s TLS session : %s", "create", gnutls_strerror(r));
     return NULL;