Vulnerability Report: GO-2022-0531
- Affects: crypto/tls
- Published: Jul 28, 2022
- Modified: Jun 12, 2023
An attacker can correlate a resumed TLS session with a previous connection. Session tickets generated by crypto/tls do not contain a randomly generated ticket_age_add, which allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
before go1.17.11, from go1.18.0-0 before go1.18.3all symbols
- Github user @nervuri