Re: [PR] Add sni.yaml session ticket overrides (#13006) [trafficserver]

Tue, 31 Mar 2026 15:04:27 -0700 


bneradt commented on code in PR #13044:
URL: https://github.com/apache/trafficserver/pull/13044#discussion_r3018661442


##########
src/iocore/net/SSLUtils.cc:
##########
@@ -401,13 +407,9 @@ ssl_cert_callback(SSL *ssl, [[maybe_unused]] void *arg)
       setClientCertCACerts(ssl, sslnetvc->get_ca_cert_file(), 
sslnetvc->get_ca_cert_dir());
     }
 
-    // Reset the ticket callback if needed
-    SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
-#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
-    SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket);
-#else
-    SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_callback_session_ticket);
-#endif
+    if (!ssl_apply_sni_session_ticket_properties(ssl)) {
+      retval = 0;
+    }

Review Comment:
   Thanks, I traced this through both the backport and the original master 
patch. The explicit `SSL_CTX_set_tlsext_ticket_key...` call no longer happens 
in `ssl_cert_callback()`, but the functionality is still covered elsewhere.
   
   In this backport, the selected server `SSL_CTX` now gets the ticket callback 
during `SSLMultiCertConfigLoader::init_server_ssl_ctx()` via 
`ssl_context_enable_ticket_callback(ctx)`. Later, after SNI/cert selection, 
`ssl_cert_callback()` calls `ssl_apply_sni_session_ticket_properties(ssl)`, 
which just applies the per-connection SNI override (`SSL_OP_NO_TICKET` and the 
TLS 1.3 ticket count). `TLSCertSwitchSupport::selectCertificate()` switches the 
connection to the already-initialized context with `SSL_set_SSL_CTX()`, so the 
ticket callback is already present on the new context.
   
   The original master commit (`8d75849e0e3574748f25fd682001e0566d75bd18`) has 
the same structure, so this is not a backport-only difference. The added 
`tls_sni_ticket` AuTest also covers the risky case here: global tickets off, 
then `sni.yaml` turning them back on for the matched SNI.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to