Hi, On Sat, Jul 12, 2014 at 02:55:21PM +0200, David Sommerseth wrote: > > Well, OpenSSL considers this a "feature", not an "issue"... and being > > able to turn off session resumption is also considered a "feature"... > > Ahh, right! > > I thought this was related to a CVE, but it seems not, according the > OpenSSL changelog I found on the net [1]. SSL_OP_NO_TICKET comes with the > implementation of RFC4507, which was introduced in 0.9.8f. I just double > checked EL5, and it uses 0.9.8e as the base version. According to the > RPM changelog, I don't see that RFC4507 has ever been backported.
Ah. So if that is correct, our simplistic implementation "if it is not
there, just #define SSL_OP_NO_TICKET 0" would be perfectly safe in this
regard, then.
> But it would be good if others can double this and see if I've understood this
> correctly, just so I don't say anything wrong.
Indeed :-) - Steffann?
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpzi7dJKDVta.pgp
Description: PGP signature
