fix: disable TLS session tickets on R2 client (OP_NO_TICKET) to fix SSLV3_ALERT_BAD_RECORD_MAC

Extract _make_r2_client() helper that creates an SSLContext with OP_NO_TICKET set. Python's ssl module caches TLS session tickets independently of httpcore's connection pool — even with max_keepalive_connections=0, Python attempts session resumption on every new TCP connection. R2 rejects the resumed session with SSLV3_ALERT_BAD_RECORD_MAC.

TDD: TestT16R2SSLNoTicket (2 tests) in test_presign_upload.py — all 15 pass.

sha256:1364a995767a912caeed88a1256380bd3449d0fb4e10426e75cf2d4afe2582a4 sha

sha256:cf32f3b495a0c7ee1b8da9273685ba66d4f9ba749bb54b99fdd8f5cdaac9a2ff parent

sha256:db399695abe3a6fff51fc7161e5ae254c79bebe2ac775559658a5505a1e72829 snapshot

← Older Oldest on task/wire-r2-tls-no-ticket

All commits

Newer → Latest on task/wire-r2-tls-no-ticket

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:1364a995767a912caeed88a1256380bd3449d0fb4e10426e75cf2d4afe2582a4 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:db399695abe3a6fff51fc7161e5ae254c79bebe2ac775559658a5505a1e72829

Files 0

Browse tree at this commit →

Commit

SHA sha256:1364a995767a912caeed88a1256380bd3449d0fb4e10426e75cf2d4afe2582a4

Parent

sha256:cf32f3b495a0c7ee1b8da9273685ba66d4f9ba749bb54b99fdd8f5cdaac9a2ff

Branch task/wire-r2-tls-no-ticket