The existing GNUTLS_NO_TICKETS flag affects all versions of TLS, where PFS is assured in TLS 1.3, while it is not in TLS 1.2. This adds a new flag GNUTLS_NO_TICKETS_TLS12 to allow applications to disable session tickets only in TLS 1.2.
As the only means of resumption in TLS 1.3 is using session tickets, we could repurpose the GNUTLS_NO_TICKETS flag make it no-op in TLS 1.3. However it would break backward compatibility, so we defer it to the next major release.
Fixes: #477 (closed)
Checklist
-
Commits have Signed-off-by:with name/author being identical to the commit author -
Code modified for feature -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated / NEWS entry present (for non-trivial changes) -
CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)
Reviewer's checklist:
-
Any issues marked for closing are addressed -
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md -
This feature/change has adequate documentation added -
No obvious mistakes in the code