Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@trafficserver.apache.org
Received-SPF: pass (athena.apache.org: domain of h.reindl@thelounge.net
 designates 91.118.73.15 as permitted sender)
Message-ID: <54CACCCA.4000703@thelounge.net>
Date: Fri, 30 Jan 2015 01:14:02 +0100
From: Reindl Harald <h.reindl@thelounge.net>
Organization: the lounge interactive design
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: users@trafficserver.apache.org
Subject: Re: ssl_ticket_enabled=0 don't work
References: <54CA7C0F.8040305@thelounge.net>
 <FA28294A-96EA-4DE7-993A-01A58AF24E37@apache.org>
In-Reply-To: <FA28294A-96EA-4DE7-993A-01A58AF24E37@apache.org>
OpenPGP: id=7F780279;
	url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="CNKfPVH3EJKEhtH7qWnFIJ6P6KeFb0ue7"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--CNKfPVH3EJKEhtH7qWnFIJ6P6KeFb0ue7
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable


Am 29.01.2015 um 20:25 schrieb James Peach:
>> On Jan 29, 2015, at 10:29 AM, Reindl Harald <h.reindl@thelounge.net> w=
rote:
>>
>>
>> [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config
>> ssl_cert_name=3Dthelounge.net.pem ssl_ca_name=3Dgodaddy_ca_sha256.crt =
ssl_ticket_enabled=3D0
>>
>> https://www.ssllabs.com/ssltest/
>> Session resumption (caching) 	Yes=09
>> Session resumption (tickets) 	Yes=09
>> SSL 2 handshake compatibility 	No
>
> First, what version of OpenSSL is this? We try to set SSL_OP_NO_TICKET,=
 which I believe was added in OpenSSL 0.9.9. Maybe httpd uses a different=
 technique to disable session tickets.

Fedora 20
openssl-1.0.1e-41.fc20

> Can you turn on "ssl" debug logging? With ssl_ticket_enabled=3D0 you sh=
ould see a message like "ssl session ticket is disabled" ...

not sure how to do that

the only reachable server for ssllabs ist the production one
testing environments are not reachable from outside

>> (the ssl 2 handshake compatibility needs to be fixed too for some clie=
nt like "ab" the apache benchmark tool)

BTW: that annoys me for years now - "ab" supports SNI fine but not with A=
TS

>> _______________________________
>>
>> the today release of httpd introduces an option for that and it's desc=
ription says for me "no i do not want to restart services daily"
>>
>> with Off https://www.ssllabs.com/ssltest/ says correctly
>>
>> Session resumption (caching) 	Yes=09
>> Session resumption (tickets) 	 No
>>
>> mod_ssl: New directive SSLSessionTickets (On|Off). The directive contr=
ols the use of TLS session tickets (RFC 5077), default value is "On" (unc=
hanged behavior). Session ticket creation uses a random key created durin=
g web server startup and recreated during restarts. No other key recreati=
on mechanism is available currently. Therefore using session tickets with=
out restarting the web server with an appropriate frequency (e.g. daily) =
compromises perfect forward secrecy. [Rainer Jung]


--CNKfPVH3EJKEhtH7qWnFIJ6P6KeFb0ue7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlTKzMoACgkQhmBjz394Ann1YwCfTEE4Brb2iGPhPSns7Ew1hsCx
+l0AoIAIgRsdV1EiTXvssoHmr3wF0hxF
=4oMO
-----END PGP SIGNATURE-----

--CNKfPVH3EJKEhtH7qWnFIJ6P6KeFb0ue7--