[tor-bugs] #7139 [Tor]: Tor involuntarily sets TLS session tickets

["Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>]

#7139: Tor involuntarily sets TLS session tickets
-------------------------+--------------------------------------------------
    Reporter:  nextgens  |        Type:  defect              
      Status:  new       |    Priority:  normal              
   Milestone:            |   Component:  Tor                 
     Version:            |    Keywords:  ssl tls security pfs
      Parent:            |      Points:                      
Actualpoints:            |  
-------------------------+--------------------------------------------------
 This is bad for at least two reasons:

 1) performance: It increases the size (~160bytes) of the ChangeCipherSpec
 message during the handshake; it also makes the server encrypt and hmac
 the ticket

 2) security: It has implications regarding the PFS interval (no immediate
 security concern here as the server certificates are ephemeral;
 MAX_SSL_KEY_LIFETIME_INTERNAL = 2h atm) and exposes more attack surface
 than strictly necessary (Tor doesn't use the tickets in any case: that's
 why it disables the session-cache)

 To disable session-tickets altogether (TLS1+ feature), one should use:
 SSL_CTX_set_options(... , ...|SSL_OP_NO_TICKET)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7139>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs