From 079b394c490849388ed8bc08756d26153b9d843a Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 20 Oct 2016 13:19:20 -0400 Subject: [PATCH] Always enable GREASE for TLS 1.3 NewSessionTicket. On the client we'll leave it off by default until the change has made it through Chrome's release process. For TLS 1.3, there is no existing breakage risk, so always do it. This saves us the trouble of having to manually turn it on in servers. See [0] for a data point of someone getting it wrong. [0] https://hg.mozilla.org/projects/nss/rev/9dbc21b1c3cc Change-Id: I74daad9e7efd2040e9d66d72d558b31f145e6c4c Reviewed-on: https://boringssl-review.googlesource.com/11680 Reviewed-by: Adam Langley --- ssl/test/runner/runner.go | 5 ++++- ssl/tls13_server.c | 10 ++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 48d3340f..ab5fdee1 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -2299,10 +2299,13 @@ func addBasicTests() { config: Config{ MaxVersion: VersionTLS13, Bugs: ProtocolBugs{ + // TLS 1.3 servers are expected to + // always enable GREASE. TLS 1.3 is new, + // so there is no existing ecosystem to + // worry about. ExpectGREASE: true, }, }, - flags: []string{"-enable-grease"}, }, } testCases = append(testCases, basicTests...) diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c index e54abcfd..fac43646 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c @@ -574,12 +574,10 @@ static enum ssl_hs_wait_t do_send_new_session_ticket(SSL *ssl, } /* Add a fake extension. See draft-davidben-tls-grease-01. */ - if (ssl->ctx->grease_enabled) { - if (!CBB_add_u16(&extensions, - ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) || - !CBB_add_u16(&extensions, 0 /* empty */)) { - goto err; - } + if (!CBB_add_u16(&extensions, + ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) || + !CBB_add_u16(&extensions, 0 /* empty */)) { + goto err; } if (!ssl->method->finish_message(ssl, &cbb)) {