Return-Path:
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by minotaur.apache.org (Postfix) with SMTP id 7B047C20B
for ;
Thu, 8 Jan 2015 15:34:15 +0000 (UTC)
Received: (qmail 15641 invoked by uid 500); 8 Jan 2015 15:34:16 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 15574 invoked by uid 500); 8 Jan 2015 15:34:16 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 15564 invoked by uid 99); 8 Jan 2015 15:34:16 -0000
Received: from eris.apache.org (HELO hades.apache.org) (140.211.11.105)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Jan 2015 15:34:16 +0000
Received: from hades.apache.org (localhost [127.0.0.1])
by hades.apache.org (ASF Mail Server at hades.apache.org) with ESMTP id
D22CAAC0110;
Thu, 8 Jan 2015 15:34:13 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1650310 - in /httpd/httpd/trunk:
docs/manual/mod/mod_ssl.xml
modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c
modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h
Date: Thu, 08 Jan 2015 15:34:11 -0000
To: cvs@httpd.apache.org
From: rjung@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20150108153414.D22CAAC0110@hades.apache.org>
Author: rjung
Date: Thu Jan 8 15:34:10 2015
New Revision: 1650310
URL: http://svn.apache.org/r1650310
Log:
Add SSLSessionTickets (on|off).
It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).
Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.
As long as we do not have a nice key management
there should be a way to deactivate session
tickets.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1650310&r1=1650309&r2=1650310&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Jan 8 15:34:10 2015
@@ -2590,6 +2590,27 @@ CRIME attack).
+SSLSessionTickets
+Enable or disable use of TLS session tickets
+SSLSessionTickets on|off
+SSLCompression on
+server config
+virtual host
+Available in httpd 2.4.11 and later, if using OpenSSL 0.9.8f
+or later.
+
+
+This directive allows to enable or disable the use of TLS session tickets
+(RFC 5077).
+
+TLS session tickets are enabled by default. Using them without restarting
+the web server with an appropriate frequency (e.g. daily) compromises perfect
+forward secrecy.
+
+
+
+
+
SSLOpenSSLConfCmd
Configure OpenSSL parameters through its SSL_CONF API
SSLOpenSSLConfCmd command-name command-value
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1650310&r1=1650309&r2=1650310&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Thu Jan 8 15:34:10 2015
@@ -148,6 +148,9 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(Compression, FLAG,
"Enable SSL level compression "
"(`on', `off')")
+ SSL_CMD_SRV(SessionTickets, FLAG,
+ "Enable or disable TLS session tickets"
+ "(`on', `off')")
SSL_CMD_SRV(InsecureRenegotiation, FLAG,
"Enable support for insecure renegotiation")
SSL_CMD_ALL(UserName, TAKE1,
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1650310&r1=1650309&r2=1650310&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Thu Jan 8 15:34:10 2015
@@ -222,6 +222,7 @@ static SSLSrvConfigRec *ssl_config_serve
#ifndef OPENSSL_NO_COMP
sc->compression = UNSET;
#endif
+ sc->session_tickets = UNSET;
modssl_ctx_init_proxy(sc, p);
@@ -356,6 +357,7 @@ void *ssl_config_server_merge(apr_pool_t
#ifndef OPENSSL_NO_COMP
cfgMergeBool(compression);
#endif
+ cfgMergeBool(session_tickets);
modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);
@@ -733,6 +735,17 @@ const char *ssl_cmd_SSLHonorCipherOrder(
#endif
}
+const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+#ifndef SSL_OP_NO_TICKET
+ return "This version of OpenSSL does not support using "
+ "SSLSessionTickets.";
+#endif
+ sc->session_tickets = flag ? TRUE : FALSE;
+ return NULL;
+}
+
const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
{
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1650310&r1=1650309&r2=1650310&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Thu Jan 8 15:34:10 2015
@@ -574,6 +574,16 @@ static apr_status_t ssl_init_ctx_protoco
}
#endif
+#ifdef SSL_OP_NO_TICKET
+ /*
+ * Configure using RFC 5077 TLS session tickets
+ * for session resumption.
+ */
+ if (sc->session_tickets == FALSE) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+ }
+#endif
+
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
if (sc->insecure_reneg == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1650310&r1=1650309&r2=1650310&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Thu Jan 8 15:34:10 2015
@@ -648,6 +648,7 @@ struct SSLSrvConfigRec {
#ifndef OPENSSL_NO_COMP
BOOL compression;
#endif
+ BOOL session_tickets;
};
/**
@@ -702,6 +703,7 @@ const char *ssl_cmd_SSLCARevocationFile
const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
+const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);