> On Jan 29, 2015, at 10:29 AM, Reindl Harald <[email protected]> wrote: > > > [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config > ssl_cert_name=thelounge.net.pem ssl_ca_name=godaddy_ca_sha256.crt > ssl_ticket_enabled=0 > > https://www.ssllabs.com/ssltest/ > Session resumption (caching) Yes > Session resumption (tickets) Yes > SSL 2 handshake compatibility No
First, what version of OpenSSL is this? We try to set SSL_OP_NO_TICKET, which I believe was added in OpenSSL 0.9.9. Maybe httpd uses a different technique to disable session tickets. Can you turn on "ssl" debug logging? With ssl_ticket_enabled=0 you should see a message like "ssl session ticket is disabled" ... > > (the ssl 2 handshake compatibility needs to be fixed too for some client like > "ab" the apache benchmark tool) > _______________________________ > > the today release of httpd introduces an option for that and it's description > says for me "no i do not want to restart services daily" > > with Off https://www.ssllabs.com/ssltest/ says correctly > > Session resumption (caching) Yes > Session resumption (tickets) No > > mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the > use of TLS session tickets (RFC 5077), default value is "On" (unchanged > behavior). Session ticket creation uses a random key created during web > server startup and recreated during restarts. No other key recreation > mechanism is available currently. Therefore using session tickets without > restarting the web server with an appropriate frequency (e.g. daily) > compromises perfect forward secrecy. [Rainer Jung] >
