diff --git a/experiments/field_trials.py b/experiments/field_trials.py index c4455015a0..cecca11c5b 100755 --- a/experiments/field_trials.py +++ b/experiments/field_trials.py @@ -113,6 +113,9 @@ ACTIVE_FIELD_TRIALS: FrozenSet[FieldTrial] = frozenset([ FieldTrial('WebRTC-PermuteTlsClientHello', 42225803, date(2025, 1, 1)), + FieldTrial('WebRTC-DisableTlsSessionTicketKillswitch', + 367181089, + date(2025, 7, 1)), FieldTrial('WebRTC-QCM-Dynamic-AV1', 349860657, date(2025, 7, 1)), diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc index b7b1d1cfd1..d9f873b586 100644 --- a/rtc_base/openssl_stream_adapter.cc +++ b/rtc_base/openssl_stream_adapter.cc @@ -306,7 +306,9 @@ OpenSSLStreamAdapter::OpenSSLStreamAdapter( !webrtc::field_trial::IsDisabled("WebRTC-PermuteTlsClientHello")), #endif ssl_mode_(SSL_MODE_DTLS), - ssl_max_version_(SSL_PROTOCOL_TLS_12) { + ssl_max_version_(SSL_PROTOCOL_DTLS_12), + disable_handshake_ticket_(!webrtc::field_trial::IsDisabled( + "WebRTC-DisableTlsSessionTicketKillswitch")) { stream_->SetEventCallback( [this](int events, int err) { OnEvent(events, err); }); } @@ -1080,6 +1082,9 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { SSL_CTX_set_permute_extensions(ctx, permute_extension_); #endif + if (disable_handshake_ticket_) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); + } return ctx; } diff --git a/rtc_base/openssl_stream_adapter.h b/rtc_base/openssl_stream_adapter.h index 92e8c1017e..e67992be45 100644 --- a/rtc_base/openssl_stream_adapter.h +++ b/rtc_base/openssl_stream_adapter.h @@ -250,6 +250,9 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter, // A 50-ms initial timeout ensures rapid setup on fast connections, but may // be too aggressive for low bandwidth links. int dtls_handshake_timeout_ms_ = 50; + + // Rollout killswitch for disabling session tickets. + const bool disable_handshake_ticket_; }; /////////////////////////////////////////////////////////////////////////////