httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: [PATCH] Support for TLS Session Tickets
Date Fri, 30 Sep 2011 07:38:14 GMT
Hi Paul,

On 30.09.2011 08:08, Paul Querna wrote:
> Hiya,
> Attached is a patch
> <>
>  to add support for setting SSL_CTX_set_tlsext_ticket_keys.

Unfortunately I don't have answers to your questions, but I'm a bit
curious about the patch. As far as I understand we already support RFC
5077 (even with 2.2.x). So am I right, that the patch is about improving
key handling?

The Changelog for OpenSSL 0.9.8f says:

*) Add RFC4507 support to OpenSSL. This includes the corrections in
     RFC4507bis. The encrypted ticket format is an encrypted encoded
     SSL_SESSION structure, that way new session features are automatically


     The SSL_CTX structure automatically generates keys for ticket
     protection in servers so again support should be possible
     with no application modification.

So do we actually need to worry about the keys?

Then for 0.9.8g there is the following change:

 *) Add TLS session ticket callback. This allows an application to set
     TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
     values. This is useful for key rollover for example where several key
     sets may exist with different names.

There was some discussion about improving session ticket support in 2009:

The thread contains some interesting remark by Stephen concerning the
keys. The proposed code IMHO was never applied (nor was there consensus).

Finally there is a Bugzilla about session tickets not respecting the
defined session timeout:



View raw message