Am 29.01.2015 um 20:25 schrieb James Peach:
On Jan 29, 2015, at 10:29 AM, Reindl Harald <[email protected]> wrote:[root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config ssl_cert_name=thelounge.net.pem ssl_ca_name=godaddy_ca_sha256.crt ssl_ticket_enabled=0 https://www.ssllabs.com/ssltest/ Session resumption (caching) Yes Session resumption (tickets) Yes SSL 2 handshake compatibility NoFirst, what version of OpenSSL is this? We try to set SSL_OP_NO_TICKET, which I believe was added in OpenSSL 0.9.9. Maybe httpd uses a different technique to disable session tickets.
Fedora 20 openssl-1.0.1e-41.fc20
Can you turn on "ssl" debug logging? With ssl_ticket_enabled=0 you should see a message like "ssl session ticket is disabled" ...
not sure how to do that the only reachable server for ssllabs ist the production one testing environments are not reachable from outside
(the ssl 2 handshake compatibility needs to be fixed too for some client like "ab" the apache benchmark tool)
BTW: that annoys me for years now - "ab" supports SNI fine but not with ATS
_______________________________ the today release of httpd introduces an option for that and it's description says for me "no i do not want to restart services daily" with Off https://www.ssllabs.com/ssltest/ says correctly Session resumption (caching) Yes Session resumption (tickets) No mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the use of TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). Session ticket creation uses a random key created during web server startup and recreated during restarts. No other key recreation mechanism is available currently. Therefore using session tickets without restarting the web server with an appropriate frequency (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
signature.asc
Description: OpenPGP digital signature
