[jira] [Commented] (TS-3742) ATS advertises TLS ticket extension even when disabled

Tue, 07 Jul 2015 06:21:23 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14616676#comment-14616676
 ] 

Susan Hinrichs commented on TS-3742:
------------------------------------

My original observation on the cause of this issue is incorrect.  The real 
problem is that whether tickets are enabled or not is controlled by the default 
entry in ssl_multicert.config or by the built in default which is created if no 
'*' entry is present in ssl_multicert.config.

The code dutifully sets or clears SSL_OP_NO_TICKET for each SSL_CTX based on 
the ssl_ticket_enabled flag (which is on by default).  But by the time the code 
updates the SSL_CTX for the active SSL object in the SNI callback, the state 
about the tickets already seems to be set in the SSL object.  I tried calling 
SSL_clear_options and SSL_set_options to make the SSL object have the same 
value as the SSL_CTX object with respect to the SSL_OP_NO_TICKET flag, but it 
did not change whether the server hello advertised tickets or not.  It kept to 
the same state as was set on the original default SSL_CTX.

So there seems to be no code change that will enable tickets by default but 
disable them for a particular entry (or visa versa).  As it stands, the 
ssl_ticket_enabled on the default entry controls whether tickets are 
advertised.  If there is no default entry, the builtin default will have 
tickets enabled.

The solution seems to be to implement TS-3371 and provide a global 
enable/disable for tickets.

My tests were done with openssl 1.0.1f.  Things may vary between different 
versions of openssl.

> ATS advertises TLS ticket extension even when disabled
> ------------------------------------------------------
>
>                 Key: TS-3742
>                 URL: https://issues.apache.org/jira/browse/TS-3742
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Susan Hinrichs
>            Assignee: Susan Hinrichs
>
> Noted by [~hreindl].  Even if you have ssl_ticket_enabled=0 on the relevant 
> line in ssl_multicert.config, the Server Hello message will still contain the 
> ticket tls extension.
> The problem is the code is blindly resetting the ticket callback on the 
> context.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to