quic: add TLS session ticket resumption support

[bellatoris]

Commit Message: quic: add session ticket resumption support using configured session ticket keys
Additional Description:

Summary

TLS session resumption is essential for QUIC performance. Without it, every connection requires a full TLS handshake, and 0-RTT becomes meaningless since there's no session state to resume from. As noted in #42682, TLS-related data accounts for roughly 1/3 of bytes during connection establishment - session resumption eliminates most of this overhead.

Currently, Envoy's QUIC implementation does not support session resumption across workers or processes. While users can configure session_ticket_keys or session_ticket_keys_sds_secret_config in downstream TLS context, these settings have no effect on QUIC connections. This limitation is documented in #25418, which explicitly states that session ticket key plumbing is missing from the QUIC implementation.

This PR bridges that gap by enabling QUIC to use the same session ticket keys configured for TCP TLS, allowing session resumption to work across workers and processes.

Implementation

We create a custom EnvoyTlsServerHandshaker that extends QUICHE's TlsServerHandshaker and provides EnvoyProofSourceHandle to pass filter chain context during certificate selection.

Note: QUICHE's DefaultProofSourceHandle is a private nested class inside TlsServerHandshaker, so we cannot extend or reuse it directly. We had to copy the relevant implementation and add our customizations.

Key design decisions:

1. SSL ex_data for context passing: During SelectCertificate(), we store the filter chain pointer in SSL ex_data. This allows the session ticket callback to retrieve per-connection configuration.

2. SSL_CTX_set_tlsext_ticket_key_cb over SSL_CTX_set_ticket_aead_method: We use the same callback mechanism as TCP TLS rather than QUICHE's TicketCrypter interface. This allows us to reuse ServerContextImpl::sessionTicketProcess() directly, ensuring identical session ticket handling between TCP and QUIC.

3. Respect existing configuration: We check disable_stateless_session_resumption, session_ticket_keys, and handles_session_resumption from the transport socket factory and disable tickets accordingly via SSL_OP_NO_TICKET.

Flow

EnvoyTlsServerHandshaker::MaybeCreateProofSourceHandle()
  └─→ EnvoyProofSourceHandle::SelectCertificate()
        └─→ SSL_set_ex_data(ssl, filter_chain)

SSL_CTX_set_tlsext_ticket_key_cb (installed in OnNewSslCtx)
  └─→ SSL_get_ex_data(ssl) → filter_chain
        └─→ QuicServerTransportSocketFactory::sessionTicketProcess()
              └─→ ServerContextImpl::sessionTicketProcess()

Risk Level: Low (behind runtime guard, disabled by default)
Testing: Existing tests, manual verification with QUIC clients
Docs Changes: N/A
Release Notes: Added
Platform Specific Features: N/A
[Optional Runtime guard:] envoy.reloadable_features.quic_session_ticket_support (default: false)
[Optional Fixes #Issue] Partially addresses #25418

[repokitteh-read-only]

Hi @bellatoris, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #42734 was opened by bellatoris.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #42734 was opened by bellatoris.

see: more, trace.

[ravenblackx]

Please fix format.

/wait

[kyessenov]

Please merge main.
/wait

[bellatoris]

Please merge main.

done

[nezdolik]

@bellatoris looks like some CI checks need to be fixed

[bellatoris]

@nezdolik seems like they are flaky ones. except code coverage, all tests is passed.

[KBaichoo]

/wait

Need merge of main

[ggreenway]

Adding @RyanTheOptimist as a reviewer as @danzh2010 hasn't gotten to this yet.

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[ggreenway]

@RyanTheOptimist or @danzh2010 please review

[danzh2010]

@RyanTheOptimist do you mind take a look at this. I'm not an expert of the TLS handshake implementation.

[danzh2010]

static_cast should be sufficient.

[danzh2010]

I thought QUICHE has the ability to disable ticket resumption so QUICHE user doesn't need to directly modify the boring SSL object. Is it missing the SSL_CTX_set_tlsext_ticket_key_cb? I'm not an expert in boring SSL, but my impression is that QUICHE completely hide the ssl object behind its own APIs. Maybe @RyanTheOptimist can shed some light on this?

And do we need to retain filter chain object in the ssl extension data? Can we store it in EnvoyProofSourceHandle or the handshaker?

[RyanTheOptimist]

Yeah QUICHE provides this method. Is it sufficient? in fact the whole TlsConnection object looks useful here. https://quiche.googlesource.com/quiche/+/refs/heads/main/quiche/quic/core/crypto/tls_connection.h?autodive=0%2F%2F%2F%2F%2F%2F%2F%2F#100

[bellatoris]

Yeah QUICHE provides this method. Is it sufficient? in fact the whole TlsConnection object looks useful here.

I'd prefer to use TlsConnection::DisableTicketSupport() directly, but tls_connection() returns const TlsConnection* and there's no non-const accessor from the subclass. The wrapper calls the same SSL_set_options(ssl(), SSL_OP_NO_TICKET) via the protected ssl() accessor. Open to suggestions if there's a better way to reach it.

And do we need to retain filter chain object in the ssl extension data? Can we store it in EnvoyProofSourceHandle or the handshaker?

The tlsext_ticket_key_cb callback is a C function pointer that only receives SSL*, and TlsConnection::ConnectionFromSsl() is protected with no public path back to the handshaker. SSL ex_data was the most straightforward way I found to pass per-connection context into this callback. Happy to take a different approach if you have ideas.

[RyanTheOptimist]

Sorry, which tls_connection() method are you referring to? TlsHandshaker::tls_connection()? We (QUICHE developers) could easily add a non-const version of that method if that would be helpful? Or we could call TlsServerHandshaker::DisableResumption() but maybe that's not ergonomic either?

[bellatoris]

Yes, I'm referring to TlsHandshaker::tls_connection() which returns const TlsConnection*. A non-const version would be ideal.

TlsServerHandshaker::DisableResumption() won't work here because QUICHE sets can_disable_resumption_ = false immediately before calling SelectCertificate():

// tls_server_handshaker.cc, EarlySelectCertCallback():
can_disable_resumption_ = false;                                          // line 1079
const QuicAsyncStatus status = proof_source_handle_->SelectCertificate(   // line 1080: our code runs here
    ...);

So when our EnvoyProofSourceHandle::SelectCertificate() needs to disable tickets based on per-filter-chain config, DisableResumption() returns false and does nothing:

  // tls_server_handshaker.cc:
  bool TlsServerHandshaker::DisableResumption() {
    if (!can_disable_resumption_ || ...) {  // already false
      return false;                         // no-op
    }
    tls_connection_.DisableTicketSupport(); // never reached
    return true;
  }

If you could add a non-const tls_connection() accessor, I'd switch to tls_connection()->DisableTicketSupport() directly.

[RyanTheOptimist]

Ok, once #44019 lands, a non-const tls_connection() method will be available.

/wait

[bellatoris]

@RyanTheOptimist i have addressed it, could you review it again?

[RyanTheOptimist]

Please comment on the meaning of these fields. Particular since the latter two both refer to "resumption" it would be good to make the distinction clear.

[RyanTheOptimist]

Yeah QUICHE provides this method. Is it sufficient? in fact the whole TlsConnection object looks useful here. https://quiche.googlesource.com/quiche/+/refs/heads/main/quiche/quic/core/crypto/tls_connection.h?autodive=0%2F%2F%2F%2F%2F%2F%2F%2F#100

[RyanTheOptimist]

Is this needed?

[RyanTheOptimist]

@RyanTheOptimist or @danzh2010 please review

Oh sorry. the "waiting" tag filtered this out of my "to do" list query.

[paul-r-gall]

@bellatoris please merge main.

@RyanTheOptimist please re-review.

[bellatoris]

thx @paul-r-gall main merged

[bellatoris]

/retest

[bellatoris]

/retest

[bellatoris]

/retest