Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7B047C20B for ; Thu, 8 Jan 2015 15:34:15 +0000 (UTC) Received: (qmail 15641 invoked by uid 500); 8 Jan 2015 15:34:16 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 15574 invoked by uid 500); 8 Jan 2015 15:34:16 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 15564 invoked by uid 99); 8 Jan 2015 15:34:16 -0000 Received: from eris.apache.org (HELO hades.apache.org) (140.211.11.105) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Jan 2015 15:34:16 +0000 Received: from hades.apache.org (localhost [127.0.0.1]) by hades.apache.org (ASF Mail Server at hades.apache.org) with ESMTP id D22CAAC0110; Thu, 8 Jan 2015 15:34:13 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1650310 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h Date: Thu, 08 Jan 2015 15:34:11 -0000 To: cvs@httpd.apache.org From: rjung@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20150108153414.D22CAAC0110@hades.apache.org> Author: rjung Date: Thu Jan 8 15:34:10 2015 New Revision: 1650310 URL: http://svn.apache.org/r1650310 Log: Add SSLSessionTickets (on|off). It controls the use of TLS session tickets (RFC 5077). Default is unchanged (on). Using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. As long as we do not have a nice key management there should be a way to deactivate session tickets. Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml httpd/httpd/trunk/modules/ssl/mod_ssl.c httpd/httpd/trunk/modules/ssl/ssl_engine_config.c httpd/httpd/trunk/modules/ssl/ssl_engine_init.c httpd/httpd/trunk/modules/ssl/ssl_private.h Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1650310&r1=1650309&r2=1650310&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Jan 8 15:34:10 2015 @@ -2590,6 +2590,27 @@ CRIME attack).

+SSLSessionTickets +Enable or disable use of TLS session tickets +SSLSessionTickets on|off +SSLCompression on +server config +virtual host +Available in httpd 2.4.11 and later, if using OpenSSL 0.9.8f +or later. + + +

This directive allows to enable or disable the use of TLS session tickets +(RFC 5077).

+ +

TLS session tickets are enabled by default. Using them without restarting +the web server with an appropriate frequency (e.g. daily) compromises perfect +forward secrecy.

+ + + + + SSLOpenSSLConfCmd Configure OpenSSL parameters through its SSL_CONF API SSLOpenSSLConfCmd command-name command-value Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1650310&r1=1650309&r2=1650310&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original) +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Thu Jan 8 15:34:10 2015 @@ -148,6 +148,9 @@ static const command_rec ssl_config_cmds SSL_CMD_SRV(Compression, FLAG, "Enable SSL level compression " "(`on', `off')") + SSL_CMD_SRV(SessionTickets, FLAG, + "Enable or disable TLS session tickets" + "(`on', `off')") SSL_CMD_SRV(InsecureRenegotiation, FLAG, "Enable support for insecure renegotiation") SSL_CMD_ALL(UserName, TAKE1, Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1650310&r1=1650309&r2=1650310&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Thu Jan 8 15:34:10 2015 @@ -222,6 +222,7 @@ static SSLSrvConfigRec *ssl_config_serve #ifndef OPENSSL_NO_COMP sc->compression = UNSET; #endif + sc->session_tickets = UNSET; modssl_ctx_init_proxy(sc, p); @@ -356,6 +357,7 @@ void *ssl_config_server_merge(apr_pool_t #ifndef OPENSSL_NO_COMP cfgMergeBool(compression); #endif + cfgMergeBool(session_tickets); modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy); @@ -733,6 +735,17 @@ const char *ssl_cmd_SSLHonorCipherOrder( #endif } +const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); +#ifndef SSL_OP_NO_TICKET + return "This version of OpenSSL does not support using " + "SSLSessionTickets."; +#endif + sc->session_tickets = flag ? TRUE : FALSE; + return NULL; +} + const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag) { #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1650310&r1=1650309&r2=1650310&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Thu Jan 8 15:34:10 2015 @@ -574,6 +574,16 @@ static apr_status_t ssl_init_ctx_protoco } #endif +#ifdef SSL_OP_NO_TICKET + /* + * Configure using RFC 5077 TLS session tickets + * for session resumption. + */ + if (sc->session_tickets == FALSE) { + SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); + } +#endif + #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION if (sc->insecure_reneg == TRUE) { SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1650310&r1=1650309&r2=1650310&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original) +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Thu Jan 8 15:34:10 2015 @@ -648,6 +648,7 @@ struct SSLSrvConfigRec { #ifndef OPENSSL_NO_COMP BOOL compression; #endif + BOOL session_tickets; }; /** @@ -702,6 +703,7 @@ const char *ssl_cmd_SSLCARevocationFile const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); +const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag); const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);