Re: [PATCH] Support for TLS Session Tickets

[Paul Querna <pa...@querna.org>]

On Sun, Oct 2, 2011 at 12:20 AM, Kaspar Brand <ht...@velox.ch> wrote:
> On 30.09.2011 08:08, Paul Querna wrote:
>> Attached is a patch
>> <http://people.apache.org/~pquerna/tls_session_ticket_support.patch>
>>  to add support for setting SSL_CTX_set_tlsext_ticket_keys.
>>
>> I have two questions:
>>
>> 1) What is the right ifdef to look for support of this feature?  I was
>> just using ifdef SSL_CTX_set_tlsext_ticket_keys and it seemed to work
>> for me......
>
> SSL_CTRL_SET_TLSEXT_TICKET_KEYS and #ifndef OPENSSL_NO_TLSEXT,
> respectively - I would suggest wrapping it in the same way as
> SSL_CTX_set_tlsext_servername_callback/SSL_CTX_set_tlsext_servername_arg.
>
> Generally speaking, I agree with Stefan that such keys shouldn't be
> stored in config files as (static) plain-text strings. RFC 5077 section
> 5.5 lists some recommendations for the management of ticket protection
> keys, although it hastens to add that "A full description [...] is
> beyond the scope of this document".

I've committed an updated patch that stores the key id, hmac secret,
and aes key into a file:
<https://svn.apache.org/viewvc?view=revision&revision=1200040>

Feedback welcome!

Thanks,

Paul