From 3392ac849c2f7dd7858fcd1d345e230b2acc5a6f Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 30 Jun 2022 11:18:38 +0000
Subject: [PATCH] Check whether the security level allows session tickets.

ok beck jsing
---
 lib/libssl/ssl_tlsext.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index fc6c11daa62..f103c2253ed 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.115 2022/06/29 17:39:20 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.116 2022/06/30 11:18:38 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1124,6 +1124,9 @@ tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type)
 	if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0)
 		return 0;
 
+	if (!ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL))
+		return 0;
+
 	if (s->internal->new_session)
 		return 1;
 
@@ -1203,7 +1206,8 @@ int
 tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type)
 {
 	return (s->internal->tlsext_ticket_expected &&
-	    !(SSL_get_options(s) & SSL_OP_NO_TICKET));
+	    !(SSL_get_options(s) & SSL_OP_NO_TICKET) &&
+	    ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL));
 }
 
 int
-- 
2.20.1