Index: modules/ssl/mod_ssl.c =================================================================== --- modules/ssl/mod_ssl.c (revision 1177497) +++ modules/ssl/mod_ssl.c (working copy) @@ -79,6 +79,11 @@ SSL_CMD_SRV(FIPS, FLAG, "Enable FIPS-140 mode " "(`on', `off')") +#ifdef SSL_CTX_set_tlsext_ticket_keys + SSL_CMD_SRV(TicketKey, TAKE1, + "Enable TLS sessin keys (RFC 5077) " + "(keyname keyvalue)") +#endif SSL_CMD_ALL(CipherSuite, TAKE1, "Colon-delimited list of permitted SSL Ciphers " "('XXX:...:XXX' - see manual)") Index: modules/ssl/ssl_private.h =================================================================== --- modules/ssl/ssl_private.h (revision 1177497) +++ modules/ssl/ssl_private.h (working copy) @@ -625,6 +625,9 @@ #ifdef HAVE_FIPS BOOL fips; #endif +#ifdef SSL_CTX_set_tlsext_ticket_keys + const char *ticket_key; +#endif }; /** @@ -666,6 +669,7 @@ const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); +const char *ssl_cmd_SSLTicketKey(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); Index: modules/ssl/ssl_engine_init.c =================================================================== --- modules/ssl/ssl_engine_init.c (revision 1177497) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -1137,6 +1137,46 @@ #endif ssl_die(); } + +#ifdef SSL_CTX_set_tlsext_ticket_keys + if (mctx->sc->ticket_key != NULL) { + X509 *cert = NULL; + + if (have_rsa) { + cert = mctx->pks->certs[SSL_AIDX_RSA]; + } + else if (have_dsa) { + cert = mctx->pks->certs[SSL_AIDX_DSA]; + } +#ifndef OPENSSL_NO_EC + else if (have_ecc) { + cert = mctx->pks->certs[SSL_AIDX_ECC]; + } +#endif + + if (cert != NULL) { + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_size = sizeof(md); + unsigned char cert_md[EVP_MAX_MD_SIZE]; + unsigned int cert_md_size; + + X509_digest(cert, EVP_sha1(), cert_md, &cert_md_size); + + /* we need 48 bytes for the openssl ticket key, sha256 is too small. */ + HMAC(EVP_sha256(), mctx->sc->ticket_key, strlen(mctx->sc->ticket_key), + cert_md, cert_md_size, &md[0], &md_size); + + if (!SSL_CTX_set_tlsext_ticket_keys(mctx->ssl_ctx, md, 48)) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, + "Unable to initialize TLS session ticket extension " + "(incompatible OpenSSL version?)"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + ssl_die(); + } + } + } +#endif + } static void ssl_init_proxy_certs(server_rec *s, Index: modules/ssl/ssl_engine_config.c =================================================================== --- modules/ssl/ssl_engine_config.c (revision 1177497) +++ modules/ssl/ssl_engine_config.c (working copy) @@ -200,6 +200,10 @@ sc->fips = UNSET; #endif +#ifdef SSL_CTX_set_tlsext_ticket_keys + sc->ticket_key = NULL; +#endif + modssl_ctx_init_proxy(sc, p); modssl_ctx_init_server(sc, p); @@ -304,6 +308,9 @@ cfgMerge(mc, NULL); cfgMerge(enabled, SSL_ENABLED_UNSET); +#ifdef SSL_CTX_set_tlsext_ticket_keys + cfgMergeString(ticket_key); +#endif cfgMergeBool(proxy_enabled); cfgMergeInt(session_cache_timeout); cfgMergeBool(cipher_server_pref); @@ -584,6 +591,23 @@ return "Argument must be On, Off, or Optional"; } +const char *ssl_cmd_SSLTicketKey(cmd_parms *cmd, void *dcfg, const char *key) +{ +#ifdef SSL_CTX_set_tlsext_ticket_keys + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + if (strlen(key) < 48) { + return "SSLTicketKey key value must be at least 48 bytes."; + } + + sc->ticket_key = key; + + return NULL; +#else + return "TLS Ticket keys are not supported."; +#endif +} + const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) { #ifdef HAVE_FIPS