Hi, > -----Original Message----- > From: Gert Doering [mailto:g...@greenie.muc.de] > Sent: maandag 17 maart 2014 9:34 > Subject: Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL > context for OpenSSL builds, to disable TLS stateless session > resumption. > > Hi, > > On Sun, Mar 16, 2014 at 06:49:36PM -0600, James Yonan wrote: > > OpenVPN doesn't want or need SSL session renegotiation or resumption, > > as it handles renegotiation on its own. > > > > For this reason, OpenVPN always disables the SSL session cache: > > > > SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF) > > > > However, even with the above code, stateless session resumption is > > still possible unless explicitly disabled with the SSL_OP_NO_TICKET > > flag. This patch does this. > > I assume this should go into all OpenVPN branches, that is, master, > 2.3, and if we ever do another 2.2, into that one as well? > > (not ACKing or NAKing the patch itself, this is not my field of > expertise)
I think this should go into all releases we'll do from now on. Also, ACK on the patch. Together with SSL_SESS_CACHE_OFF, this seems to fully disable TLS session renegotiation and resumption. -Steffan
