From: Daniel Kubec Date: Mon, 25 May 2026 11:29:48 +0000 (+0200) Subject: CHANGES.md: mention tickets disabling on set SSL_OP_NO_TICKET|SSL_SESS_CACHE_OFF X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be27d28c61deef2d013eb244cea1b1959ed37a0a;p=thirdparty%2Fopenssl.git CHANGES.md: mention tickets disabling on set SSL_OP_NO_TICKET|SSL_SESS_CACHE_OFF Complements: e5a18924e261 "TLS1.3: Disable tickets when SSL_OP_NO_TICKET and SSL_SESS_CACHE_OFF are set." Reviewed-by: Eugene Syromiatnikov Reviewed-by: Tomas Mraz MergeDate: Tue May 26 14:40:46 2026 (Merged from https://github.com/openssl/openssl/pull/31288) --- diff --git a/CHANGES.md b/CHANGES.md index 65956ba7a83..17ce78fc383 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -45,6 +45,17 @@ OpenSSL Releases *Craig Lorentzen* + * Do not issue TLS1.3 session tickets if the server has explicitly disabled + them via `SSL_OP_NO_TICKET` and also turned off the session cache with + `SSL_SESS_CACHE_OFF`. Both conditions together indicate a clear intent to + suppress resumption, so sending NewSessionTicket messages would be wasteful + and misleading. TLS1.3 client that does not send the `psk_key_exchange_modes` + extension, or that sends it together with [RFC 9149] parameters such as + `new_session_count = 0` or `resumption_count = 0`, is effectively signaling + no interest in session tickets and session resumption. + + *Daniel Kubec* + * Added test framework for testing function memory allocation failures. *Jakub Zelenka* @@ -23062,6 +23073,7 @@ ndif [RFC 7919]: https://datatracker.ietf.org/doc/html/rfc7919 [RFC 8422]: https://datatracker.ietf.org/doc/html/rfc8422 [RFC 8998]: https://datatracker.ietf.org/doc/html/rfc8998#name-iana-considerations +[RFC 9149]: https://datatracker.ietf.org/doc/html/rfc9149 [RFC 9849]: https://datatracker.ietf.org/doc/html/rfc9849 [SP 800-132]: https://csrc.nist.gov/pubs/sp/800/132/final [SP 800-185]: https://csrc.nist.gov/pubs/sp/800/185/final