Kaspar Brand wrote: > Kamesh Jayachandran wrote: >> Reasonable fix for this on the server side is to apply SSL_OP_NO_TICKET >> patch and enable SSLSessionCache. > > There is actually another reason why disabling TLS session tickets makes > sense at the present time: with OpenSSL's current stable version > (0.9.8k), session tickets only work properly for the first/default > vhost. For all other vhosts, mod_ssl will fail to decrypt a > previously-generated ticket, due to the order in which OpenSSL currently > deals with the SNI and ticket extensions (and their callbacks). The > consequence is that with 2.2.x and an SNI configuration, session caching > for clients supporting TLS tickets is not working for all but the first > vhost. >
The current OpenSSL (unreleased) stable code uses ticket keys from the initial ctx and not the current one. This makes session resumption with tickets and SNI work again because they all use the same keys. The equivalent can be done with previous versions of OpenSSL by generating the three ticket related keys and initializing the same ones in all SSL_CTX structures. The function macro SSL_CTX_set_tlsext_ticket_keys can be used to do this. > > 1) When configuring a new SSL context (in > ssl_engine_init.c:ssl_init_ctx_tls_extensions), it disables session > ticket support if a server-side session cache is configured. Enabling > both session tickets and a cache for stateful resumption at the same > time doesn't make that much sense anyway, IMO. This change will also > solve the issue with OpenSSL clients (as reported by Kamesh), provided > that a server-side cache is configured. > I suppose if some clients support tickets and others do not then enabling both makes sense. You'd get improved performance for the equivalent cache size because ticket supporting clients would do their own caching and non-ticket clients would use normal stateful session resumption. Though as you note older versions of OpenSSL will be in use for quite a while after 0.9.8l is released. Note this should all be fixed in current unreleased OpenSSL (which will be 0.9.8l) but it needs client side as well as server side changes. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
