id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1892 TLSv1.3 session resumption - session tickets renewing bartebor@… "When using TLSv1.3, sessions tickets are not renewed while decrypting tickets and session resumption works only for two requests, because this is the default number of issued tickets. On the contrary, default session ticket handler in openssl (used when no callbacks were registered via `SSL_CTX_set_tlsext_ticket_key_cb`) renews session ticket whenever ticket is decrypted when TLSv1.3 is in use. Nginx provides its own ticket callback and renews session ticket only when client came with a ticket encrypted with an expired key (`ssl_session_ticket_key` rotated). I believe `ngx_ssl_session_ticket_key_callback` should return 2 not only when expired key was used, but also when TLSv1.3 is in use. Simple working solution (not taking into account future TLS versions): {{{ --- nginx-1.16.1-orig/src/event/ngx_event_openssl.c 2019-11-08 12:59:34.026387380 +0100 +++ nginx-1.16.1/src/event/ngx_event_openssl.c 2019-11-18 11:48:24.872995156 +0100 @@ -4138,7 +4222,8 @@ return -1; } - return (i == 0) ? 1 : 2 /* renew */; + // renew ticket when using TLSv1.3 or ticket was encrypted with expired key + return (i > 0 || ngx_strcmp(SSL_get_version(ssl_conn), ""TLSv1.3"") == 0) ? 2 /* renew */ : 1; } } }}}" defect closed minor nginx-core 1.16.x fixed TLS Linux a974b548d355 5.3.0-1-amd64 #1 SMP Debian 5.3.7-1 (2019-10-19) x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.16.1 (nginx) built by gcc 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --with-ld-opt=-Wl,-rpath,/usr/lib64 --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-libatomic --with-openssl=../openssl --with-pcre=../pcre --with-pcre-jit --with-http_v2_hpack_enc --with-compat --add-module=../ngx_devel_kit --add-module=../headersmore --add-dynamic-module=../pushstream --add-module=../lua --add-module=../stream-lua --add-module=../nginx-module-vts --add-module=../nginx-auth-ldap --add-module=../nginx-module-sts --add-module=../nginx-module-stream-sts --add-module=../ngx_brotli --add-module=../nginx_upstream_check_module --add-dynamic-module=../ngx_aws_auth --add-dynamic-module=../nginx-module-opentracing/opentracing --add-dynamic-module=../nginx-rtmp-module --with-http_v2_module --with-cc-opt='-O3 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mmmx -msse -msse2 -DTCP_FASTOPEN=23 -Wno-error=strict-aliasing' --with-openssl-opt='no-ssl3 no-dtls no-rc5 enable-weak-ssl-ciphers' --build=nginx --with-debug"