feat: TLS session resumption

deltachat · Nov 9, 2024 · 5a315d3 · 5a315d3
1 parent b112a13
commit 5a315d3
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/src/net/tls.rs b/src/net/tls.rs
@@ -2,9 +2,12 @@
 use std::sync::Arc;
 
 use anyhow::Result;
+use once_cell::sync::Lazy;
 
 use crate::net::session::SessionStream;
 
+use tokio_rustls::rustls::client::ClientSessionStore;
+
 pub async fn wrap_tls(
     strict_tls: bool,
     hostname: &str,
@@ -30,6 +33,13 @@ pub async fn wrap_tls(
     }
 }
 
+// This is the default as of version 0.23.16, but make it shared between clients.
+static RESUMPTION_STORE: Lazy<Arc<dyn ClientSessionStore>> = Lazy::new(|| {
+    Arc::new(tokio_rustls::rustls::client::ClientSessionMemoryCache::new(
+        256,
+    ))
+});
+
 pub async fn wrap_rustls(
     hostname: &str,
     alpn: &[&str],
@@ -43,6 +53,14 @@ pub async fn wrap_rustls(
         .with_no_client_auth();
     config.alpn_protocols = alpn.iter().map(|s| s.as_bytes().to_vec()).collect();
 
+    // Enable TLS 1.3 session resumption.
+    //
+    // TLS 1.2 has worse security,
+    // not risking it: <https://words.filippo.io/we-need-to-talk-about-session-tickets/>
+    let resumption = tokio_rustls::rustls::client::Resumption::store(Arc::clone(&RESUMPTION_STORE))
+        .tls12_resumption(tokio_rustls::rustls::client::Tls12Resumption::Disabled);
+    config.resumption = resumption;
+
     let tls = tokio_rustls::TlsConnector::from(Arc::new(config));
     let name = rustls_pki_types::ServerName::try_from(hostname)?.to_owned();
     let tls_stream = tls.connect(name, stream).await?;