Merge r1650310 and r1650320 from trunk:

mod_ssl: Add SSLSessionTickets (on|off). It controls the use of TLS session tickets (RFC 5077). Default is unchanged (on). Using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. As long as we do not have a nice key management there needs to be a way to deactivate the use of session tickets. Submitted by: rjung Reviewed by: rjung, covener, ylavic Backported by: rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1652074 13f79535-47bb-0310-9956-ffa450edef68
2025-08-13 14:40:20 +00:00 · 2015-01-15 12:20:33 +00:00
parent 321f131d60
commit d53a8588ef
7 changed files with 58 additions and 13 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@ -553,6 +553,16 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
    }
 #endif

+#ifdef SSL_OP_NO_TICKET
+    /*
+     * Configure using RFC 5077 TLS session tickets
+     * for session resumption.
+     */
+    if (sc->session_tickets == FALSE) {
+        SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+    }
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    if (sc->insecure_reneg == TRUE) {
        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);