b19d6e
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
b19d6e
index ca178ab..4580f1c 100644
b19d6e
--- a/docs/manual/mod/mod_ssl.html.en
b19d6e
+++ b/docs/manual/mod/mod_ssl.html.en
b19d6e
@@ -57,6 +57,7 @@ to provide the cryptography engine.

b19d6e
 
  • SSLCertificateKeyFile
  • b19d6e
     
  • SSLCipherSuite
  • b19d6e
     
  • SSLCompression
  • b19d6e
    +
  • SSLSessionTickets
  • b19d6e
     
  • SSLCryptoDevice
  • b19d6e
     
  • SSLEngine
  • b19d6e
     
  • SSLFIPS
  • b19d6e
    @@ -797,6 +798,26 @@ CRIME attack).

    b19d6e
     
    b19d6e
     
    b19d6e
     
    b19d6e
    +
    b19d6e
    +
    top
    b19d6e
    +
    b19d6e
    +
    b19d6e
    +Description:Enable or disable use of TLS session tickets
    b19d6e
    +Syntax:SSLSessionTickets on|off
    b19d6e
    +Default:SSLCompression on
    b19d6e
    +Context:server config, virtual host
    b19d6e
    +Status:Extension
    b19d6e
    +Module:mod_ssl
    b19d6e
    +Compatibility:Available.
    b19d6e
    +
    b19d6e
    +

    This directive allows to enable or disable the use of TLS session tickets(RFC 5077).

    b19d6e
    +
    b19d6e
    +

    TLS session tickets are enabled by default. Using them without restarting

    b19d6e
    +the web server with an appropriate frequency (e.g. daily) compromises perfect
    b19d6e
    +forward secrecy.

    b19d6e
    +
    b19d6e
    +
    b19d6e
    +
    b19d6e
     
    top
    b19d6e
     
    b19d6e
     
    b19d6e
    diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
    b19d6e
    index bbe1d20..4a8b661 100644
    b19d6e
    --- a/modules/ssl/mod_ssl.c
    b19d6e
    +++ b/modules/ssl/mod_ssl.c
    b19d6e
    @@ -141,6 +141,9 @@ static const command_rec ssl_config_cmds[] = {
    b19d6e
         SSL_CMD_SRV(Compression, FLAG,
    b19d6e
                     "Enable SSL level compression"
    b19d6e
                     "(`on', `off')")
    b19d6e
    +    SSL_CMD_SRV(SessionTickets, FLAG,
    b19d6e
    +                "Enable or disable TLS session tickets"
    b19d6e
    +                "(`on', `off')")
    b19d6e
         SSL_CMD_SRV(InsecureRenegotiation, FLAG,
    b19d6e
                     "Enable support for insecure renegotiation")
    b19d6e
         SSL_CMD_ALL(UserName, TAKE1,
    b19d6e
    diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
    b19d6e
    index 9530fcc..86a7f0f 100644
    b19d6e
    --- a/modules/ssl/ssl_engine_config.c
    b19d6e
    +++ b/modules/ssl/ssl_engine_config.c
    b19d6e
    @@ -216,6 +216,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
    b19d6e
     #ifndef OPENSSL_NO_COMP
    b19d6e
         sc->compression            = UNSET;
    b19d6e
     #endif
    b19d6e
    +    sc->session_tickets        = UNSET;
    b19d6e
     
    b19d6e
         modssl_ctx_init_proxy(sc, p);
    b19d6e
     
    b19d6e
    @@ -346,6 +347,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
    b19d6e
     #ifndef OPENSSL_NO_COMP
    b19d6e
         cfgMergeBool(compression);
    b19d6e
     #endif
    b19d6e
    +    cfgMergeBool(session_tickets);
    b19d6e
     
    b19d6e
         modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
    b19d6e
     
    b19d6e
    @@ -720,6 +722,17 @@ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
    b19d6e
     #endif
    b19d6e
     }
    b19d6e
     
    b19d6e
    +const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
    b19d6e
    +{
    b19d6e
    +    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    b19d6e
    +#ifndef SSL_OP_NO_TICKET
    b19d6e
    +    return "This version of OpenSSL does not support using "
    b19d6e
    +           "SSLSessionTickets.";
    b19d6e
    +#endif
    b19d6e
    +    sc->session_tickets = flag ? TRUE : FALSE;
    b19d6e
    +    return NULL;
    b19d6e
    +}
    b19d6e
    +
    b19d6e
     const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
    b19d6e
     {
    b19d6e
     #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    b19d6e
    diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
    b19d6e
    index 568627f..672760c 100644
    b19d6e
    --- a/modules/ssl/ssl_engine_init.c
    b19d6e
    +++ b/modules/ssl/ssl_engine_init.c
    b19d6e
    @@ -566,6 +566,16 @@ static void ssl_init_ctx_protocol(server_rec *s,
    b19d6e
         }
    b19d6e
     #endif
    b19d6e
     
    b19d6e
    +#ifdef SSL_OP_NO_TICKET
    b19d6e
    +    /*
    b19d6e
    +     * Configure using RFC 5077 TLS session tickets
    b19d6e
    +     * for session resumption.
    b19d6e
    +     */
    b19d6e
    +    if (sc->session_tickets == FALSE) {
    b19d6e
    +        SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
    b19d6e
    +    }
    b19d6e
    +#endif
    b19d6e
    +
    b19d6e
     #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    b19d6e
         if (sc->insecure_reneg == TRUE) {
    b19d6e
             SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
    b19d6e
    diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
    b19d6e
    index 0cc6d3f..b601316 100644
    b19d6e
    --- a/modules/ssl/ssl_private.h
    b19d6e
    +++ b/modules/ssl/ssl_private.h
    b19d6e
    @@ -701,6 +701,7 @@ struct SSLSrvConfigRec {
    b19d6e
     #ifndef OPENSSL_NO_COMP
    b19d6e
         BOOL             compression;
    b19d6e
     #endif
    b19d6e
    +    BOOL             session_tickets;
    b19d6e
     };
    b19d6e
     
    b19d6e
     /**
    b19d6e
    @@ -756,6 +757,7 @@ const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
    b19d6e
     const char  *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
    b19d6e
     const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
    b19d6e
     const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
    b19d6e
    +const char  *ssl_cmd_SSLSessionTickets(cmd_parms *, void *, int flag);
    b19d6e
     const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
    b19d6e
     const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
    b19d6e
     const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);