Disable TLS session ticket for DTLS

since it makes no sense for the WebRTC usage of DTLS and increases the size of the last handshake flight considerably Guarded by killswitch WebRTC-DisableTlsSessionTicketKillswitch BUG=webrtc:367181089 Co-authored-by: Jody Ho <jodyho@meta.com> Change-Id: I4bb17bba8a17c65c8e0fefe2d8962974703feee7 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/362526 Reviewed-by: Harald Alvestrand <hta@webrtc.org> Reviewed-by: David Benjamin <davidben@webrtc.org> Commit-Queue: Philipp Hancke <phancke@meta.com> Cr-Commit-Position: refs/heads/main@{#43046}
2024-09-16 13:22:18 -07:00 · 2024-09-16 13:22:18 -07:00 · e77d75193f
commit e77d75193f
parent 54903b407f
3 changed files with 12 additions and 1 deletions
--- a/experiments/field_trials.py
+++ b/experiments/field_trials.py
@ -113,6 +113,9 @@ ACTIVE_FIELD_TRIALS: FrozenSet[FieldTrial] = frozenset([
    FieldTrial('WebRTC-PermuteTlsClientHello',
               42225803,
               date(2025, 1, 1)),
+    FieldTrial('WebRTC-DisableTlsSessionTicketKillswitch',
+               367181089,
+               date(2025, 7, 1)),
    FieldTrial('WebRTC-QCM-Dynamic-AV1',
               349860657,
               date(2025, 7, 1)),
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@ -306,7 +306,9 @@ OpenSSLStreamAdapter::OpenSSLStreamAdapter(
          !webrtc::field_trial::IsDisabled("WebRTC-PermuteTlsClientHello")),
 #endif
      ssl_mode_(SSL_MODE_DTLS),
-      ssl_max_version_(SSL_PROTOCOL_TLS_12) {
+      ssl_max_version_(SSL_PROTOCOL_DTLS_12),
+      disable_handshake_ticket_(!webrtc::field_trial::IsDisabled(
+          "WebRTC-DisableTlsSessionTicketKillswitch")) {
  stream_->SetEventCallback(
      [this](int events, int err) { OnEvent(events, err); });
 }
@ -1080,6 +1082,9 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
  SSL_CTX_set_permute_extensions(ctx, permute_extension_);
 #endif

+  if (disable_handshake_ticket_) {
+    SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+  }
  return ctx;
 }

--- a/rtc_base/openssl_stream_adapter.h
+++ b/rtc_base/openssl_stream_adapter.h
@ -250,6 +250,9 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter,
  // A 50-ms initial timeout ensures rapid setup on fast connections, but may
  // be too aggressive for low bandwidth links.
  int dtls_handshake_timeout_ms_ = 50;
+
+  // Rollout killswitch for disabling session tickets.
+  const bool disable_handshake_ticket_;
 };

 /////////////////////////////////////////////////////////////////////////////