[gnutls-help] Reliable way to check if there is %NO_TICKETS in the current configured priority

Daiki Ueno ueno at gnu.org
Mon Jan 29 06:16:11 CET 2024


Hello Oto,

Sorry for the late response.

Oto Šťáva <oto.stava at nic.cz> writes:

> I have an application that allows the user to set their own priority
> string for GnuTLS, including the %NO_TICKETS keyword, which disables
> TLS resumption. That same application also supports QUIC via the
> ngtcp2 library. There is an edge-case where if I set %NO_TICKETS and
> attempt to use 0-RTT functions of the ngtcp2 library, the QUIC
> connection gets into an invalid state and eventually crashes with an
> assertion error. Is there some API through which I can reliably check
> whether tickets are enabled for a session so as to avoid calling the
> 0-RTT-related functions in such a case? I tried via
> (gnutls_session_get_flags(...) & GNUTLS_SFLAGS_SESSION_TICKET), but
> that returns true even when %NO_TICKETS is present in the priority
> string. Would I have to parse the priority string manually?

Right, GNUTLS_SFLAGS_SESSION_TICKET can only be used to check whether a
session ticket is received.  There is currently no API that returns the
settings of the use of session tickets, and I generally agree that it
would make sense to have one like gnutls_session_ticket_enabled_server.

I haven't looked into the actual error when used with ngtcp2, but does
it happen around (or inside) the call to GnuTLS API
gnutls_record_*_early_data?  If so, we might rather want to add a
fallback behavior (i.e., disabling 0-RTT) rather than erroring out.

Regards,
-- 
Daiki Ueno



More information about the Gnutls-help mailing list