On 17/07/2019 00:06, M.S. Dousti wrote: > Dear all, > > TLS allows session resumption via session IDs or session tickets. [This > post]( > https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/) > shows how this can be performed in Apache web server and Nginx. Specially, > Apache has a [`SSLSessionTicketKeyFile` directive]( > http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslsessionticketkeyfile) > which allows the TLS session ticket to be encrypted by a specific key, > rather than a key chosen randomly at startup. This is useful in cluster, > where any cluster member can open a ticket encrypted by another member via > a shared key. > > I couldn't find a similar feature in [Tomcat TLS documentation]( > https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support). If > this can be done via configuration, so much the better.
I am afraid not. At least not at the moment. It looks fairly simple to implement. Care to open an enhancement request in Bugzilla or a PR in GitHub? > Otherwise, I have a > hunch on how to do it programmatically. > > I found a method called [`setTicketKeys`]( > https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/util/net/openssl/OpenSSLSessionContext.html#setTicketKeys-byte:A-) > which seems to be doing exactly what I want: > > public void setTicketKeys(byte[] keys) > Sets the SSL session ticket keys of this context. > Parameters: > keys - The session ticket keys > > I also found [a class from Facebook Nifty]( > https://github.com/facebookarchive/nifty/blob/master/nifty-ssl/src/main/java/com/facebook/nifty/ssl/OpenSslServerConfiguration.java) > which uses this function. > > My question is: I need an instance of `OpenSSLSessionContext` to call > `setTicketKeys()` on. How should I get this instance? > > PS: I use Tomcat 9.0.22 on Windows 10 x64. You are going to have to patch Tomcat to do this. Somewhere around line 260 of o.a.tomcat.util.net.SSLUtilBase.java would be a reasonable place to start. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
