trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject ssl_ticket_enabled=0 don't work
Date Thu, 29 Jan 2015 18:29:35 GMT

[root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config
ssl_cert_name=thelounge.net.pem ssl_ca_name=godaddy_ca_sha256.crt 
ssl_ticket_enabled=0

https://www.ssllabs.com/ssltest/
Session resumption (caching) 	Yes	
Session resumption (tickets) 	Yes	
SSL 2 handshake compatibility 	No

(the ssl 2 handshake compatibility needs to be fixed too for some client 
like "ab" the apache benchmark tool)
_______________________________

the today release of httpd introduces an option for that and it's 
description says for me "no i do not want to restart services daily"

with Off https://www.ssllabs.com/ssltest/ says correctly

Session resumption (caching) 	Yes	
Session resumption (tickets) 	 No

mod_ssl: New directive SSLSessionTickets (On|Off). The directive 
controls the use of TLS session tickets (RFC 5077), default value is 
"On" (unchanged behavior). Session ticket creation uses a random key 
created during web server startup and recreated during restarts. No 
other key recreation mechanism is available currently. Therefore using 
session tickets without restarting the web server with an appropriate 
frequency (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]


Mime
View raw message