On 14.06.2014 12:53, Rainer Jung wrote:
> SSL_CTX_set_timeout() seems to work pretty well.
Indeed. I missed the fact that after the ticket has been decrypted/processed,
there's a timeout check in ssl_sess.c:ssl_get_prev_session(), based on the
SSL_SESSION's "time" value, which is the timestamp of its creation.
SSL_CTX_set_timeout() adjusts the default value for SSL sessions created by
ssl_sess.c:ssl_get_new_session(). Right now, mod_ssl relies on the builtin
OpenSSL defaults, which are somewhat inconsistent:
- if SSLProtocol specifies multiple protocols, the default timeout
for TLS session tickets is 300 seconds
- if SSLProtocol only specifies one of "TLSv1", "TLSv1.1", or "TLSv1.2",
the default timeout for session tickets is 7200 seconds
> In addition to the usual directive management lines, the patch should be
> as simple as
>
> Index: modules/ssl/ssl_engine_init.c
> ===================================================================
> --- modules/ssl/ssl_engine_init.c (revision 1593916)
> +++ modules/ssl/ssl_engine_init.c (working copy)
> @@ -1365,6 +1365,8 @@
> }
> #endif
>
> + SSL_CTX_set_timeout(sc->server->ssl_ctx, sc->server->session_timeout);
> +
> return APR_SUCCESS;
> }
>
> where sc->server->session_timeout is the new configuration item (if we
> do not stick to the existing cache timeout).
I'm slightly in favor of the latter, i.e. something like
SSL_CTX_set_timeout(sc->server->ssl_ctx,
sc->session_cache_timeout == UNSET ?
SSL_SESSION_CACHE_TIMEOUT : sc->session_cache_timeout);
(As a side effect, this would also make sure that the timeout for
TLS session tickets is 300 seconds for all SSLProtocol settings,
if SSLSessionCacheTimeout is not explicitly configured.)
Kaspar
