From 518de1673ed411ba84b417377751ca7603a89bc1 Mon Sep 17 00:00:00 2001
From: Philipp Hancke <phancke@meta.com>
Date: Mon, 16 Sep 2024 13:22:18 -0700
Subject: [PATCH] Reland "Disable TLS session ticket for DTLS"

This is a reland of commit e77d75193f4f61cf90991569c5470ba5d1b78f2b.

No changes were required to the CL, downstream tests have been fixed.

Original change's description:
> Disable TLS session ticket for DTLS
>
> since it makes no sense for the WebRTC usage of DTLS and increases
> the size of the last handshake flight considerably
> Guarded by killswitch
>   WebRTC-DisableTlsSessionTicketKillswitch
>
> BUG=webrtc:367181089
>
> Co-authored-by: Jody Ho <jodyho@meta.com>
> Change-Id: I4bb17bba8a17c65c8e0fefe2d8962974703feee7
> Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/362526
> Reviewed-by: Harald Alvestrand <hta@webrtc.org>
> Reviewed-by: David Benjamin <davidben@webrtc.org>
> Commit-Queue: Philipp Hancke <phancke@meta.com>
> Cr-Commit-Position: refs/heads/main@{#43046}

Bug: webrtc:367181089
Change-Id: I4b3f813e4a0dd4d0458ee14c15c51ee6f9b84461
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/363220
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: Mirko Bonadei <mbonadei@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#43066}
---
 experiments/field_trials.py        | 3 +++
 rtc_base/openssl_stream_adapter.cc | 7 ++++++-
 rtc_base/openssl_stream_adapter.h  | 3 +++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/experiments/field_trials.py b/experiments/field_trials.py
index c4455015a0..cecca11c5b 100755
--- a/experiments/field_trials.py
+++ b/experiments/field_trials.py
@@ -113,6 +113,9 @@ ACTIVE_FIELD_TRIALS: FrozenSet[FieldTrial] = frozenset([
     FieldTrial('WebRTC-PermuteTlsClientHello',
                42225803,
                date(2025, 1, 1)),
+    FieldTrial('WebRTC-DisableTlsSessionTicketKillswitch',
+               367181089,
+               date(2025, 7, 1)),
     FieldTrial('WebRTC-QCM-Dynamic-AV1',
                349860657,
                date(2025, 7, 1)),
diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index b7b1d1cfd1..d9f873b586 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@@ -306,7 +306,9 @@ OpenSSLStreamAdapter::OpenSSLStreamAdapter(
           !webrtc::field_trial::IsDisabled("WebRTC-PermuteTlsClientHello")),
 #endif
       ssl_mode_(SSL_MODE_DTLS),
-      ssl_max_version_(SSL_PROTOCOL_TLS_12) {
+      ssl_max_version_(SSL_PROTOCOL_DTLS_12),
+      disable_handshake_ticket_(!webrtc::field_trial::IsDisabled(
+          "WebRTC-DisableTlsSessionTicketKillswitch")) {
   stream_->SetEventCallback(
       [this](int events, int err) { OnEvent(events, err); });
 }
@@ -1080,6 +1082,9 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
   SSL_CTX_set_permute_extensions(ctx, permute_extension_);
 #endif
 
+  if (disable_handshake_ticket_) {
+    SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+  }
   return ctx;
 }
 
diff --git a/rtc_base/openssl_stream_adapter.h b/rtc_base/openssl_stream_adapter.h
index 92e8c1017e..e67992be45 100644
--- a/rtc_base/openssl_stream_adapter.h
+++ b/rtc_base/openssl_stream_adapter.h
@@ -250,6 +250,9 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter,
   // A 50-ms initial timeout ensures rapid setup on fast connections, but may
   // be too aggressive for low bandwidth links.
   int dtls_handshake_timeout_ms_ = 50;
+
+  // Rollout killswitch for disabling session tickets.
+  const bool disable_handshake_ticket_;
 };
 
 /////////////////////////////////////////////////////////////////////////////