GnuTLS was using an all-zero key for encrypting TLS session tickets. Whoops.
Conversation
Replying to
FFS can we just deprecate session resumption already? It's not worth the risks.
1
2
26
Thankfully either side (client or server) can unilaterally refuse to use it, so there are lots of paths to push for deprecation.
1
1
2
TLS 1.3 already goes a long way towards that and most people aren't trying to use 0-RTT. There will be even less reason to care about it with QUIC since it puts the TLS handshake into the equivalent of the TCP handshake as long as the certificates aren't too bloated.
2
1
Then just drop support for session resumption and call it an incentive to move to TLS 1.3...
1
1
1
I always disable session tickets because nginx (and Apache) don't rotate them so you don't really have any forward secrecy except after you restart the web server. TLS 1.3 removed session caching / ids, so it only has session tickets, and I disable those, so I live in that world.