Hi, On Sat, Jul 12, 2014 at 11:08:46AM +0200, David Sommerseth wrote: > > my question would be : why does openvpn need SSL_OP_NO_TICKET? why not > > #ifdef the code, e.g. > > > > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 > > #ifdef SSL_OP_NO_TICKET > > | SSL_OP_NO_TICKET > > #endif > > ); > > > > (this is non-openvpn code) ? > > I agree, this seems to be the best approach. I suspect the issues related to > SSL_OP_NO_TICKET has been resolved by Red Hat on EL5, but the fix may not have > provided that flag.
This is what we do in 2.3. For 2.4 we decided (on the list, btw!) to
require that this is there, instead of silently hoping that the SSL library
would get it right (which it does not, according to James). See
25f4d4b49bff342fd9dd54cd and e9b088b208479.
commit 25f4d4b49bff342fd9dd54cd22f14c9de49e9f8b
Author: James Yonan <ja...@openvpn.net>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Sun Mar 16 18:49:36 2014 -0600
Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS
stateless session resumption.
OpenVPN doesn't want or need SSL session renegotiation or
resumption, as it handles renegotiation on its own.
For this reason, OpenVPN always disables the SSL session cache:
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF)
However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
> In addition, EL5 is the oldest distro we support (after we convinced James to
> ditch EL4 when that went officially EOL; not counting the extended support
> some few customers may pay for).
Any way to convince RH to pick up this security-relevant fix?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgp49e7s4X5qb.pgp
Description: PGP signature
