Check whether the security level allows session tickets.

ok beck jsing

1 files changed, 6 insertions, 2 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index fc6c11daa6..f103c2253e 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.115 2022/06/29 17:39:20 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.116 2022/06/30 11:18:38 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1124,6 +1124,9 @@ tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
         if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
                 return 0;
 
+        if (!ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL))
+                return 0;
+
         if (s->internal->new_session)
                 return 1;
 
@@ -1203,7 +1206,8 @@ int
 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
 {
         return (s->internal->tlsext_ticket_expected &&
-            !(SSL_get_options(s) & SSL_OP_NO_TICKET));
+            !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
+            ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL));
 }
 
 int