|
|
b19d6e |
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
|
|
|
b19d6e |
index ca178ab..4580f1c 100644
|
|
|
b19d6e |
--- a/docs/manual/mod/mod_ssl.html.en
|
|
|
b19d6e |
+++ b/docs/manual/mod/mod_ssl.html.en
|
|
|
b19d6e |
@@ -57,6 +57,7 @@ to provide the cryptography engine.
|
|
|
b19d6e |
SSLCertificateKeyFile
|
|
|
b19d6e |
SSLCipherSuite
|
|
|
b19d6e |
SSLCompression
|
|
|
b19d6e |
+ SSLSessionTickets
|
|
|
b19d6e |
SSLCryptoDevice
|
|
|
b19d6e |
SSLEngine
|
|
|
b19d6e |
SSLFIPS
|
|
|
b19d6e |
@@ -797,6 +798,26 @@ CRIME attack).
|
|
|
b19d6e |
|
|
|
b19d6e |
|
|
|
b19d6e |
|
|
|
b19d6e |
+
|
|
|
b19d6e |
+
|
|
|
b19d6e |
+
|
|
|
b19d6e |
+
|
|
|
b19d6e |
+Description:Enable or disable use of TLS session tickets
|
|
|
b19d6e |
+Syntax:SSLSessionTickets on|off
|
|
|
b19d6e |
+Default:SSLCompression on
|
|
|
b19d6e |
+Context:server config, virtual host
|
|
|
b19d6e |
+Status:Extension
|
|
|
b19d6e |
+Module:mod_ssl
|
|
|
b19d6e |
+Compatibility:Available.
|
|
|
b19d6e |
+
|
|
|
b19d6e |
+This directive allows to enable or disable the use of TLS session tickets(RFC 5077).
|
|
|
b19d6e |
+
|
|
|
b19d6e |
+TLS session tickets are enabled by default. Using them without restarting
|
|
|
b19d6e |
+the web server with an appropriate frequency (e.g. daily) compromises perfect
|
|
|
b19d6e |
+forward secrecy.
|
|
|
b19d6e |
+
|
|
|
b19d6e |
+
|
|
|
b19d6e |
+
|
|
|
b19d6e |
|
|
|
b19d6e |
|
|
|
b19d6e |
|
|
|
b19d6e |
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
|
|
|
b19d6e |
index bbe1d20..4a8b661 100644
|
|
|
b19d6e |
--- a/modules/ssl/mod_ssl.c
|
|
|
b19d6e |
+++ b/modules/ssl/mod_ssl.c
|
|
|
b19d6e |
@@ -141,6 +141,9 @@ static const command_rec ssl_config_cmds[] = {
|
|
|
b19d6e |
SSL_CMD_SRV(Compression, FLAG,
|
|
|
b19d6e |
"Enable SSL level compression"
|
|
|
b19d6e |
"(`on', `off')")
|
|
|
b19d6e |
+ SSL_CMD_SRV(SessionTickets, FLAG,
|
|
|
b19d6e |
+ "Enable or disable TLS session tickets"
|
|
|
b19d6e |
+ "(`on', `off')")
|
|
|
b19d6e |
SSL_CMD_SRV(InsecureRenegotiation, FLAG,
|
|
|
b19d6e |
"Enable support for insecure renegotiation")
|
|
|
b19d6e |
SSL_CMD_ALL(UserName, TAKE1,
|
|
|
b19d6e |
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
|
|
|
b19d6e |
index 9530fcc..86a7f0f 100644
|
|
|
b19d6e |
--- a/modules/ssl/ssl_engine_config.c
|
|
|
b19d6e |
+++ b/modules/ssl/ssl_engine_config.c
|
|
|
b19d6e |
@@ -216,6 +216,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
|
|
|
b19d6e |
#ifndef OPENSSL_NO_COMP
|
|
|
b19d6e |
sc->compression = UNSET;
|
|
|
b19d6e |
#endif
|
|
|
b19d6e |
+ sc->session_tickets = UNSET;
|
|
|
b19d6e |
|
|
|
b19d6e |
modssl_ctx_init_proxy(sc, p);
|
|
|
b19d6e |
|
|
|
b19d6e |
@@ -346,6 +347,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
|
|
|
b19d6e |
#ifndef OPENSSL_NO_COMP
|
|
|
b19d6e |
cfgMergeBool(compression);
|
|
|
b19d6e |
#endif
|
|
|
b19d6e |
+ cfgMergeBool(session_tickets);
|
|
|
b19d6e |
|
|
|
b19d6e |
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
|
|
|
b19d6e |
|
|
|
b19d6e |
@@ -720,6 +722,17 @@ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
|
|
|
b19d6e |
#endif
|
|
|
b19d6e |
}
|
|
|
b19d6e |
|
|
|
b19d6e |
+const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
|
|
|
b19d6e |
+{
|
|
|
b19d6e |
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
|
|
b19d6e |
+#ifndef SSL_OP_NO_TICKET
|
|
|
b19d6e |
+ return "This version of OpenSSL does not support using "
|
|
|
b19d6e |
+ "SSLSessionTickets.";
|
|
|
b19d6e |
+#endif
|
|
|
b19d6e |
+ sc->session_tickets = flag ? TRUE : FALSE;
|
|
|
b19d6e |
+ return NULL;
|
|
|
b19d6e |
+}
|
|
|
b19d6e |
+
|
|
|
b19d6e |
const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
|
|
|
b19d6e |
{
|
|
|
b19d6e |
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
|
|
|
b19d6e |
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
|
|
|
b19d6e |
index 568627f..672760c 100644
|
|
|
b19d6e |
--- a/modules/ssl/ssl_engine_init.c
|
|
|
b19d6e |
+++ b/modules/ssl/ssl_engine_init.c
|
|
|
b19d6e |
@@ -566,6 +566,16 @@ static void ssl_init_ctx_protocol(server_rec *s,
|
|
|
b19d6e |
}
|
|
|
b19d6e |
#endif
|
|
|
b19d6e |
|
|
|
b19d6e |
+#ifdef SSL_OP_NO_TICKET
|
|
|
b19d6e |
+ /*
|
|
|
b19d6e |
+ * Configure using RFC 5077 TLS session tickets
|
|
|
b19d6e |
+ * for session resumption.
|
|
|
b19d6e |
+ */
|
|
|
b19d6e |
+ if (sc->session_tickets == FALSE) {
|
|
|
b19d6e |
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
|
|
|
b19d6e |
+ }
|
|
|
b19d6e |
+#endif
|
|
|
b19d6e |
+
|
|
|
b19d6e |
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
|
|
|
b19d6e |
if (sc->insecure_reneg == TRUE) {
|
|
|
b19d6e |
SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
|
|
|
b19d6e |
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
|
|
|
b19d6e |
index 0cc6d3f..b601316 100644
|
|
|
b19d6e |
--- a/modules/ssl/ssl_private.h
|
|
|
b19d6e |
+++ b/modules/ssl/ssl_private.h
|
|
|
b19d6e |
@@ -701,6 +701,7 @@ struct SSLSrvConfigRec {
|
|
|
b19d6e |
#ifndef OPENSSL_NO_COMP
|
|
|
b19d6e |
BOOL compression;
|
|
|
b19d6e |
#endif
|
|
|
b19d6e |
+ BOOL session_tickets;
|
|
|
b19d6e |
};
|
|
|
b19d6e |
|
|
|
b19d6e |
/**
|
|
|
b19d6e |
@@ -756,6 +757,7 @@ const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
|
|
|
b19d6e |
const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
|
|
|
b19d6e |
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
|
|
|
b19d6e |
const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
|
|
|
b19d6e |
+const char *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
|
|
|
b19d6e |
const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
|
|
|
b19d6e |
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
|
|
|
b19d6e |
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
|