https://issues.apache.org/bugzilla/show_bug.cgi?id=57391
Bug ID: 57391
Summary: Allow TLS Session Tickets to be disabled
Product: Tomcat 8
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Created attachment 32322
--> https://issues.apache.org/bugzilla/attachment.cgi?id=32322&action=edit
svn diff output
OpenSSL contexts support the SSL_OP_NO_TICKET option as of OpenSSL 1.0.0 that
disables the use of TLS Session Tickets (RRC 4507) in order to protect perfect
forward secrecy. The APR connector should support the ability to enable/disable
this functionality at runtime.
With 'SSLDisableSessionTickets' omitted or set to false:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
FE4BF00CC4B357A046F5A0EDDDF874C3194FB10453480986E9B798028DCC1FB1
Session-ID-ctx:
Master-Key:
65F45CFC648ADCAFB84026B702C800D18E05F7DB27618D2E036308F95AE479C7428D006D2CB4A68342FD23F39099C291
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 7d 37 a8 08 28 98 ff 9f-0d 74 bb 2c 04 90 cf 7b }7..(....t.,...{
0010 - 23 34 11 49 4e db c4 04-4a e3 9e 76 06 59 10 5f #4.IN...J..v.Y._
0020 - c6 c4 05 4e f2 76 f6 d4-3e a2 a5 ec e4 51 e9 15 ...N.v..>....Q..
0030 - 6d 71 ba 19 2e b7 b1 79-a2 13 3e 4d f4 08 a7 94 mq.....y..>M....
0040 - 2f ab 77 2a 92 03 04 12-a0 8a 7e 24 c3 de b1 64 /.w*......~$...d
0050 - fd b9 ba 0b bd 8e 0d b9-99 0e 86 f4 16 a0 9d ad ................
0060 - 99 78 26 eb 59 30 9f 69-93 d4 17 95 99 70 c1 e1 .x&.Y0.i.....p..
0070 - b8 2e fc 6e d0 ca af f6-10 37 05 73 92 49 2e e4 ...n.....7.s.I..
0080 - 22 e5 9c db 10 f2 2a 59-3e a2 a1 15 fb c3 07 06 ".....*Y>.......
0090 - 17 9b e9 f4 cd 89 14 43-c3 40 eb 8b b5 c7 e7 e1 .......C.@......
00a0 - ce ec c8 39 46 de ae 98-bc 5b c9 3f 55 a5 e9 31 ...9F....[.?U..1
With 'SSLDisableSessionTickets' set to true:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
019AE5FB556C2D52857B711395E19EAA5B580C704EB43B2787AD72FDE5077F81
Session-ID-ctx:
Master-Key:
22C1A1DDB686D745F456DB6E1DCC2C38D3F651B483C2F2CCC280E9D8A148B20CE65475862F058E099C6B34FCEA7BC295
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1419283439
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Versions:
CentOS release 6.5 (Final)
OpenSSL 1.0.1e-fips 11 Feb 2013
Tomcat 8.x trunk
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
