trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: ssl_ticket_enabled=0 don't work
Date Thu, 29 Jan 2015 19:25:18 GMT

> On Jan 29, 2015, at 10:29 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
> 
> 
> [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config
> ssl_cert_name=thelounge.net.pem ssl_ca_name=godaddy_ca_sha256.crt ssl_ticket_enabled=0
> 
> https://www.ssllabs.com/ssltest/
> Session resumption (caching) 	Yes	
> Session resumption (tickets) 	Yes	
> SSL 2 handshake compatibility 	No

First, what version of OpenSSL is this? We try to set SSL_OP_NO_TICKET, which I believe was
added in OpenSSL 0.9.9. Maybe httpd uses a different technique to disable session tickets.

Can you turn on "ssl" debug logging? With ssl_ticket_enabled=0 you should see a message like
"ssl session ticket is disabled" ...

> 
> (the ssl 2 handshake compatibility needs to be fixed too for some client like "ab" the
apache benchmark tool)
> _______________________________
> 
> the today release of httpd introduces an option for that and it's description says for
me "no i do not want to restart services daily"
> 
> with Off https://www.ssllabs.com/ssltest/ says correctly
> 
> Session resumption (caching) 	Yes	
> Session resumption (tickets) 	 No
> 
> mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the use of
TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). Session ticket
creation uses a random key created during web server startup and recreated during restarts.
No other key recreation mechanism is available currently. Therefore using session tickets
without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect
forward secrecy. [Rainer Jung]
> 


Mime
View raw message