From e77d75193f4f61cf90991569c5470ba5d1b78f2b Mon Sep 17 00:00:00 2001
From: Philipp Hancke <phancke@meta.com>
Date: Mon, 16 Sep 2024 13:22:18 -0700
Subject: [PATCH] Disable TLS session ticket for DTLS

since it makes no sense for the WebRTC usage of DTLS and increases
the size of the last handshake flight considerably
Guarded by killswitch
  WebRTC-DisableTlsSessionTicketKillswitch

BUG=webrtc:367181089

Co-authored-by: Jody Ho <jodyho@meta.com>
Change-Id: I4bb17bba8a17c65c8e0fefe2d8962974703feee7
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/362526
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Reviewed-by: David Benjamin <davidben@webrtc.org>
Commit-Queue: Philipp Hancke <phancke@meta.com>
Cr-Commit-Position: refs/heads/main@{#43046}
---
 experiments/field_trials.py        | 3 +++
 rtc_base/openssl_stream_adapter.cc | 7 ++++++-
 rtc_base/openssl_stream_adapter.h  | 3 +++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/experiments/field_trials.py b/experiments/field_trials.py
index c4455015a0..cecca11c5b 100755
--- a/experiments/field_trials.py
+++ b/experiments/field_trials.py
@@ -113,6 +113,9 @@ ACTIVE_FIELD_TRIALS: FrozenSet[FieldTrial] = frozenset([
     FieldTrial('WebRTC-PermuteTlsClientHello',
                42225803,
                date(2025, 1, 1)),
+    FieldTrial('WebRTC-DisableTlsSessionTicketKillswitch',
+               367181089,
+               date(2025, 7, 1)),
     FieldTrial('WebRTC-QCM-Dynamic-AV1',
                349860657,
                date(2025, 7, 1)),
diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc
index b7b1d1cfd1..d9f873b586 100644
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@@ -306,7 +306,9 @@ OpenSSLStreamAdapter::OpenSSLStreamAdapter(
           !webrtc::field_trial::IsDisabled("WebRTC-PermuteTlsClientHello")),
 #endif
       ssl_mode_(SSL_MODE_DTLS),
-      ssl_max_version_(SSL_PROTOCOL_TLS_12) {
+      ssl_max_version_(SSL_PROTOCOL_DTLS_12),
+      disable_handshake_ticket_(!webrtc::field_trial::IsDisabled(
+          "WebRTC-DisableTlsSessionTicketKillswitch")) {
   stream_->SetEventCallback(
       [this](int events, int err) { OnEvent(events, err); });
 }
@@ -1080,6 +1082,9 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
   SSL_CTX_set_permute_extensions(ctx, permute_extension_);
 #endif
 
+  if (disable_handshake_ticket_) {
+    SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+  }
   return ctx;
 }
 
diff --git a/rtc_base/openssl_stream_adapter.h b/rtc_base/openssl_stream_adapter.h
index 92e8c1017e..e67992be45 100644
--- a/rtc_base/openssl_stream_adapter.h
+++ b/rtc_base/openssl_stream_adapter.h
@@ -250,6 +250,9 @@ class OpenSSLStreamAdapter final : public SSLStreamAdapter,
   // A 50-ms initial timeout ensures rapid setup on fast connections, but may
   // be too aggressive for low bandwidth links.
   int dtls_handshake_timeout_ms_ = 50;
+
+  // Rollout killswitch for disabling session tickets.
+  const bool disable_handshake_ticket_;
 };
 
 /////////////////////////////////////////////////////////////////////////////