GnuTLS was using an all-zero key for encrypting TLS session tickets. Whoops.
Conversation
Replying to
FFS can we just deprecate session resumption already? It's not worth the risks.
1
2
26
Thankfully either side (client or server) can unilaterally refuse to use it, so there are lots of paths to push for deprecation.
1
1
2
TLS 1.3 already goes a long way towards that and most people aren't trying to use 0-RTT. There will be even less reason to care about it with QUIC since it puts the TLS handshake into the equivalent of the TCP handshake as long as the certificates aren't too bloated.
Then just drop support for session resumption and call it an incentive to move to TLS 1.3...
1
1
1
I always disable session tickets because nginx (and Apache) don't rotate them so you don't really have any forward secrecy except after you restart the web server. TLS 1.3 removed session caching / ids, so it only has session tickets, and I disable those, so I live in that world.
1
2
With QUIC, if you don't use bloated certificates, you don't need any extra round trip for TLS anyway without needing the scary 0-RTT feature. 0-RTT is pretty fucking sketchy by the way. It would be safe to use with HTTP GET with how I implement services but not the way most do...
1
1
I'm really not interested in hearing about Google's goofy attempt to replace standard protocols for the sake of making hideously bloated websites less disincentivized by bad ux.
1
1
Show replies