Re: SSL session ID vs session ticket
On Thu, Oct 27, 2011, Matthias Meixner wrote: Hello! it looks like my original EMail has been truncated, therefore, my main questions were missing. I had already found option SSL_OP_NO_TICKET but I have some questions regarding SSL session tickets for which I have not found an answer yet: Is it OK to simply disable them or does this create some security risks? It's fine. If you disable them the normal stateful session resumption will be used. What is the advantage of using session tickets instead of session IDs? The server doesn't need to lookup session information from a cache. Can SSL session tickets be used with some kind of external cache? The tickets themselves are stored by clients. In order to use tickets a server needs two keys: a symmtric key and an HMAC key. If you have a distributed server they will all need to share the keys in order to process each others tickets. You can use the macros SSL_CTX_get_tlsext_ticket_keys() and SSL_CTX_set_tlsext_ticket_keys() to do this. There is also a callback SSL_CTX_set_ticket_key_cb(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL session ID vs session ticket
On Thu, Oct 27, 2011 at 8:09 AM, Matthias Meixner matthias.meix...@verifone.com wrote: Hello! When upgrading to version 0.9.8r my system stopped supporting session resumption. It looks like session tickets are the reason for this. I was using some external session cache to support session resumption on a cluster of servers where it should be possible that each server in the cluster can resume the SSL connection. With the upgrade to version 0.9.8r this stopped working http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL session ID vs session ticket
Am 27.10.2011 14:09, schrieb Matthias Meixner: Hello! When upgrading to version 0.9.8r my system stopped supporting session resumption. It looks like session tickets are the reason for this. I was using some external session cache to support session resumption on a cluster of servers where it should be possible that each server in the cluster can resume the SSL connection. With the upgrade to version 0.9.8r this stopped working Try using something like SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET); Ciao, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL session ID vs session ticket
On Thu, Oct 27, 2011, Richard Knning wrote: Am 27.10.2011 14:09, schrieb Matthias Meixner: Hello! When upgrading to version 0.9.8r my system stopped supporting session resumption. It looks like session tickets are the reason for this. I was using some external session cache to support session resumption on a cluster of servers where it should be possible that each server in the cluster can resume the SSL connection. With the upgrade to version 0.9.8r this stopped working Try using something like SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET); Yes that's the easiest option. Alternatively find a way for the servers to share the same ticket encryption and HMAC keys. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org