Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets (RFC 5077). Default is unchanged (on). Using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. As long as we do not have a nice key management there should be a way to deactivate session tickets. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650310 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2015-01-08 15:34:10 +00:00
parent a8afe6572f
commit bf93fed8a1
5 changed files with 49 additions and 0 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -574,6 +574,16 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
    }
 #endif

+#ifdef SSL_OP_NO_TICKET
+    /*
+     * Configure using RFC 5077 TLS session tickets
+     * for session resumption.
+     */
+    if (sc->session_tickets == FALSE) {
+        SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+    }
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    if (sc->insecure_reneg == TRUE) {
        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);