mirror of https://github.com/ctz/rustls
client: replace enable_tickets option with tls12_resumption
This commit is contained in:
parent
326122c9ff
commit
39402e1564
|
@ -429,7 +429,7 @@ fn make_config(args: &Args) -> Arc<rustls::ClientConfig> {
|
|||
config.key_log = Arc::new(rustls::KeyLogFile::new());
|
||||
|
||||
if args.flag_no_tickets {
|
||||
config.enable_tickets = false;
|
||||
config.tls12_resumption = Some(rustls::client::Tls12Resumption::SessionIdOnly);
|
||||
}
|
||||
|
||||
if args.flag_no_sni {
|
||||
|
|
|
@ -1,14 +1,13 @@
|
|||
use crate::anchors;
|
||||
use crate::builder::{ConfigBuilder, WantsVerifier};
|
||||
use crate::client::handy;
|
||||
use crate::client::{ClientConfig, ResolvesClientCert};
|
||||
use crate::client::{handy, ClientConfig, ResolvesClientCert};
|
||||
use crate::error::Error;
|
||||
use crate::key;
|
||||
use crate::key_log::NoKeyLog;
|
||||
use crate::kx::SupportedKxGroup;
|
||||
use crate::suites::SupportedCipherSuite;
|
||||
use crate::verify::{self, CertificateTransparencyPolicy};
|
||||
use crate::versions;
|
||||
use crate::NoKeyLog;
|
||||
use crate::{anchors, key, versions};
|
||||
|
||||
use super::Tls12Resumption;
|
||||
|
||||
use std::marker::PhantomData;
|
||||
use std::sync::Arc;
|
||||
|
@ -179,7 +178,7 @@ impl ConfigBuilder<ClientConfig, WantsClientCert> {
|
|||
session_storage: handy::ClientSessionMemoryCache::new(256),
|
||||
max_fragment_size: None,
|
||||
client_auth_cert_resolver,
|
||||
enable_tickets: true,
|
||||
tls12_resumption: Some(Tls12Resumption::SessionIdOrTickets),
|
||||
versions: self.state.versions,
|
||||
enable_sni: true,
|
||||
verifier: self.state.verifier,
|
||||
|
|
|
@ -155,7 +155,7 @@ pub struct ClientConfig {
|
|||
/// effect.
|
||||
///
|
||||
/// The default is true.
|
||||
pub enable_tickets: bool,
|
||||
pub tls12_resumption: Option<Tls12Resumption>,
|
||||
|
||||
/// Supported versions, in no particular order. The default
|
||||
/// is all supported versions.
|
||||
|
@ -187,12 +187,26 @@ pub struct ClientConfig {
|
|||
pub enable_early_data: bool,
|
||||
}
|
||||
|
||||
/// What mechanisms to support for resuming a TLS 1.2 session.
|
||||
#[derive(Clone, Copy, Debug, PartialEq)]
|
||||
pub enum Tls12Resumption {
|
||||
/// Support 1.2 resumption using session ids only.
|
||||
SessionIdOnly,
|
||||
/// Support 1.2 resumption using session ids or RFC 5077 tickets.
|
||||
///
|
||||
/// See[^1] for why you might like to disable RFC 5077 by instead choosing the `SessionIdOnly`
|
||||
/// option. Note that TLS 1.3 tickets do not have those issues.
|
||||
///
|
||||
/// [^1]: <https://words.filippo.io/we-need-to-talk-about-session-tickets/>
|
||||
SessionIdOrTickets,
|
||||
}
|
||||
|
||||
impl fmt::Debug for ClientConfig {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
f.debug_struct("ClientConfig")
|
||||
.field("alpn_protocols", &self.alpn_protocols)
|
||||
.field("max_fragment_size", &self.max_fragment_size)
|
||||
.field("enable_tickets", &self.enable_tickets)
|
||||
.field("tls12_resumption", &self.tls12_resumption)
|
||||
.field("enable_sni", &self.enable_sni)
|
||||
.field("enable_early_data", &self.enable_early_data)
|
||||
.finish_non_exhaustive()
|
||||
|
|
|
@ -26,6 +26,7 @@ use crate::SupportedCipherSuite;
|
|||
|
||||
#[cfg(feature = "tls12")]
|
||||
use super::tls12;
|
||||
use super::Tls12Resumption;
|
||||
use crate::client::client_conn::ClientConnectionData;
|
||||
use crate::client::common::ClientHelloDetails;
|
||||
use crate::client::{tls13, ClientConfig, ServerName};
|
||||
|
@ -248,7 +249,7 @@ fn emit_client_hello_for_retry(
|
|||
exts.push(ClientExtension::Cookie(cookie.clone()));
|
||||
}
|
||||
|
||||
if support_tls13 && config.enable_tickets {
|
||||
if support_tls13 {
|
||||
// We could support PSK_KE here too. Such connections don't
|
||||
// have forward secrecy, and are similar to TLS1.2 resumption.
|
||||
let psk_modes = vec![PSKKeyExchangeMode::PSK_DHE_KE];
|
||||
|
@ -380,16 +381,16 @@ fn prepare_resumption<'a>(
|
|||
cx: &mut ClientContext<'_>,
|
||||
config: &ClientConfig,
|
||||
) -> Option<persist::Retrieved<&'a persist::Tls13ClientSessionValue>> {
|
||||
if !config.enable_tickets {
|
||||
return None;
|
||||
}
|
||||
|
||||
// Check whether we're resuming with a non-empty ticket.
|
||||
let resuming = match resuming {
|
||||
Some(resuming) if !resuming.ticket().is_empty() => resuming,
|
||||
_ => {
|
||||
// If we don't have a ticket, request one.
|
||||
exts.push(ClientExtension::SessionTicket(ClientSessionTicket::Request));
|
||||
if config.supports_version(ProtocolVersion::TLSv1_3)
|
||||
|| config.tls12_resumption == Some(Tls12Resumption::SessionIdOrTickets)
|
||||
{
|
||||
// If we don't have a ticket, request one.
|
||||
exts.push(ClientExtension::SessionTicket(ClientSessionTicket::Request));
|
||||
}
|
||||
return None;
|
||||
}
|
||||
};
|
||||
|
@ -398,7 +399,9 @@ fn prepare_resumption<'a>(
|
|||
Some(tls13) => tls13,
|
||||
None => {
|
||||
// TLS 1.2; send the ticket if we have support this protocol version
|
||||
if config.supports_version(ProtocolVersion::TLSv1_2) {
|
||||
if config.supports_version(ProtocolVersion::TLSv1_2)
|
||||
&& config.tls12_resumption == Some(Tls12Resumption::SessionIdOrTickets)
|
||||
{
|
||||
exts.push(ClientExtension::SessionTicket(ClientSessionTicket::Offer(
|
||||
Payload::new(resuming.ticket()),
|
||||
)));
|
||||
|
|
|
@ -407,11 +407,10 @@ pub mod client {
|
|||
mod tls13;
|
||||
|
||||
pub use builder::{WantsClientCert, WantsTransparencyPolicyOrClientCert};
|
||||
pub use client_conn::ClientSessionStore;
|
||||
pub use client_conn::InvalidDnsNameError;
|
||||
pub use client_conn::ResolvesClientCert;
|
||||
pub use client_conn::ServerName;
|
||||
pub use client_conn::{ClientConfig, ClientConnection, ClientConnectionData, WriteEarlyData};
|
||||
pub use client_conn::{
|
||||
ClientConfig, ClientConnection, ClientConnectionData, ClientSessionStore,
|
||||
InvalidDnsNameError, ResolvesClientCert, ServerName, Tls12Resumption, WriteEarlyData,
|
||||
};
|
||||
pub use handy::{ClientSessionMemoryCache, NoClientSessionStorage};
|
||||
|
||||
#[cfg(feature = "dangerous_configuration")]
|
||||
|
|
Loading…
Reference in New Issue