From 32e1761c8eaaaeeaac8495dbe21f71780ea330d9 Mon Sep 17 00:00:00 2001
From: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
Date: Thu, 31 Oct 2024 10:59:21 +0100
Subject: [PATCH] [v17] Disable server-side TLS session tickets (#48166)

* Disable server-side TLS session tickets

* Fix CloneClient helper
---
 lib/auth/helpers.go | 3 ++-
 lib/utils/tls.go    | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/auth/helpers.go b/lib/auth/helpers.go
index 9553f2697cf8c..1d8744d56e2e2 100644
--- a/lib/auth/helpers.go
+++ b/lib/auth/helpers.go
@@ -1095,7 +1095,8 @@ func (t *TestTLSServer) CloneClient(tt *testing.T, clt *authclient.Client) *auth
 	// shared between all clients that use the same TLS config.
 	// Reusing the cache will skip the TLS handshake and may introduce a weird
 	// behavior in tests.
-	if !tlsConfig.SessionTicketsDisabled {
+	if tlsConfig.ClientSessionCache != nil {
+		tlsConfig = tlsConfig.Clone()
 		tlsConfig.ClientSessionCache = tls.NewLRUClientSessionCache(utils.DefaultLRUCapacity)
 	}
 
diff --git a/lib/utils/tls.go b/lib/utils/tls.go
index 8f619b63faf80..ca096a523b0a0 100644
--- a/lib/utils/tls.go
+++ b/lib/utils/tls.go
@@ -43,6 +43,11 @@ func SetupTLSConfig(config *tls.Config, cipherSuites []uint16) {
 		config.CipherSuites = cipherSuites
 	}
 
+	// pre-v17 Teleport uses a client ticket cache, which doesn't play well with
+	// verification (both client- and server-side) when using dynamic
+	// credentials and CAs (in v17+ Teleport)
+	config.SessionTicketsDisabled = true
+
 	config.MinVersion = tls.VersionTLS12
 }