www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Add SSLSessionTickets (on|off).

Browse Source 
It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).

Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.

As long as we do not have a nice key management
there should be a way to deactivate session
tickets.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1650310 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Rainer Jung
2015-01-08 15:34:10 +00:00
parent a8afe6572f
commit bf93fed8a1
5 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/manual/mod/mod_ssl.xml
View File

@@ -2589,6 +2589,27 @@ CRIME attack).</p>
</usage> </usage>
</directivesynopsis> </directivesynopsis>
<directivesynopsis>
<name>SSLSessionTickets</name>
<description>Enable or disable use of TLS session tickets</description>
<syntax>SSLSessionTickets on|off</syntax>
<default>SSLCompression on</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<compatibility>Available in httpd 2.4.11 and later, if using OpenSSL 0.9.8f
or later.</compatibility>
<usage>
<p>This directive allows to enable or disable the use of TLS session tickets
(RFC 5077).</p>
<note type="warning">
<p>TLS session tickets are enabled by default. Using them without restarting
the web server with an appropriate frequency (e.g. daily) compromises perfect
forward secrecy.</p>
</note>
</usage>
</directivesynopsis>
<directivesynopsis> <directivesynopsis>
<name>SSLOpenSSLConfCmd</name> <name>SSLOpenSSLConfCmd</name>
<description>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</description> <description>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</description>

3
modules/ssl/mod_ssl.c
View File

@@ -148,6 +148,9 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(Compression, FLAG, SSL_CMD_SRV(Compression, FLAG,
"Enable SSL level compression " "Enable SSL level compression "
"(`on', `off')") "(`on', `off')")
SSL_CMD_SRV(SessionTickets, FLAG,
"Enable or disable TLS session tickets"
"(`on', `off')")
SSL_CMD_SRV(InsecureRenegotiation, FLAG, SSL_CMD_SRV(InsecureRenegotiation, FLAG,
"Enable support for insecure renegotiation") "Enable support for insecure renegotiation")
SSL_CMD_ALL(UserName, TAKE1, SSL_CMD_ALL(UserName, TAKE1,

13
modules/ssl/ssl_engine_config.c
View File

@@ -222,6 +222,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
sc->compression = UNSET; sc->compression = UNSET;
#endif #endif
sc->session_tickets = UNSET;
modssl_ctx_init_proxy(sc, p); modssl_ctx_init_proxy(sc, p);
@@ -356,6 +357,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
cfgMergeBool(compression); cfgMergeBool(compression);
#endif #endif
cfgMergeBool(session_tickets);
modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy); modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);
@@ -733,6 +735,17 @@ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
#endif #endif
} }
const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
#ifndef SSL_OP_NO_TICKET
return "This version of OpenSSL does not support using "
"SSLSessionTickets.";
#endif
sc->session_tickets = flag ? TRUE : FALSE;
return NULL;
}
const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag) const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
{ {
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

10
modules/ssl/ssl_engine_init.c
View File

@@ -574,6 +574,16 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
} }
#endif #endif
#ifdef SSL_OP_NO_TICKET
/*
* Configure using RFC 5077 TLS session tickets
* for session resumption.
*/
if (sc->session_tickets == FALSE) {
SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
}
#endif
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
if (sc->insecure_reneg == TRUE) { if (sc->insecure_reneg == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);

2
modules/ssl/ssl_private.h
View File

@@ -648,6 +648,7 @@ struct SSLSrvConfigRec {
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
BOOL compression; BOOL compression;
#endif #endif
BOOL session_tickets;
}; };
/** /**
@@ -702,6 +703,7 @@ const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);