Postfix issues TLS tickets only every second time

[link2xt]

For example, if you run openssl s_client -connect staging.testrun.org:465 -tls1_3 -sess_out sess.pem, command output contains New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 (new session is established) and Post-Handshake New Session Ticket arrived: (new ticket is issued by the server).

Then if you run openssl s_client -connect c2.testrun.org:465 -tls1_3 -sess_in sess.pem, you get Reused, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 (reused session) and no new ticket.

In contrast, smtp.gmail.com:465 issues two tickets every time, regardless of whether you used existing session or not.

I did not find Postfix options to change this behaviour. Maybe there is something in the postfix mailing list.

Detailed issue is at rustls/rustls#2204

[hpk42]

Why is postfix only emitting a ticket every second time an issue?

[link2xt]

Why is postfix only emitting a ticket every second time an issue?

Because session resumption does not work every second time.

[link2xt]

In Postfix 3.8.6 file src/tls/tls_server.c there is this code:

    ticketable = (*var_tls_tkt_cipher && scache_timeout > 0
                  && !(off & SSL_OP_NO_TICKET));
...
    if (ticketable) {
#if OPENSSL_VERSION_PREREQ(3,0)
        SSL_CTX_set_tlsext_ticket_key_evp_cb(server_ctx, ticket_cb);
#else
        SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb);
#endif

        /*
         * OpenSSL 1.1.1 introduces support for TLS 1.3, which can issue more
         * than one ticket per handshake.  While this may be appropriate for
         * communication between browsers and webservers, it is not terribly
         * useful for MTAs, many of which other than Postfix don't do TLS
         * session caching at all, and Postfix has no mechanism for storing
         * multiple session tickets, if more than one sent, the second
         * clobbers the first.  OpenSSL 1.1.1 servers default to issuing two
         * tickets for non-resumption handshakes, we reduce this to one.  Our
         * ticket decryption callback already (since 2.11) asks OpenSSL to
         * avoid issuing new tickets when the presented ticket is re-usable.
         */
        SSL_CTX_set_num_tickets(server_ctx, 1);
    }
    if (!ticketable)
        off |= SSL_OP_NO_TICKET;

While it is possible to reuse TLS session tickets, Rustls never reuses them.
TLS 1.3 specification explicitly says that tickets should not be reused:

Clients SHOULD NOT reuse a ticket for multiple connections. Reuse of a ticket allows passive observers to correlate different connections. Servers that issue tickets SHOULD offer at least as many tickets as the number of connections that a client might use; for example, a web browser using HTTP/1.1 [RFC7230] might open six connections to a server. Servers SHOULD issue new tickets with every connection. This ensures that clients are always able to use a new ticket when creating a new connection.

So TLS 1.3 concern here is that passive observer can see the same ticket in plaintext and conclude that it's the same client. While may be considered a minor issue and Rustls can get an option to ignore RFC recommendation, I don't think it should be done and don't want to consider all the implications of e.g. clients using Tor and passive eavesdropper monitoring exit node traffic being able to tell that two connections belong to the same client.

Postfix should be fixed to produce tickets in any case as TLS 1.3 specification says it SHOULD. Issuing tickets is cheap, tickets are small and fixed size, it's just an AES state, no asymmetric crypto is involved, see e.g. https://www.rfc-editor.org/rfc/rfc5077#section-4.