You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Alexey Ivanov (JIRA)" <ji...@apache.org> on 2014/09/22 11:29:33 UTC
[jira] [Updated] (TS-3092) SSL_CTX_set_timeout should be set even
if Server Side Session Cache is disabled
[ https://issues.apache.org/jira/browse/TS-3092?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Ivanov updated TS-3092:
------------------------------
Description:
Currently {{SSL_CTX_set_timeout}} is called only if {{params->ssl_session_cache}} equals to {{SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER}} but inside openssl's code that timeout is used also for TLS ticket (RFC5077) lifetime hint:
ssl/s3_srvr.c:
{code}
int ssl3_send_newsession_ticket(SSL *s)
...skip...
/* Ticket lifetime hint (advisory only):
* We leave this unspecified for resumed session (for simplicity),
* and guess that tickets for new sessions will live as long
* as their sessions. */
l2n(s->hit ? 0 : s->session->timeout, p);
...skip...
{code}
so we should probably set it even if {{ssl_session_cache}} is disabled.
UPDATE: nginx has been doing this for almost a year: http://hg.nginx.org/nginx/rev/767aa37f12de
was:
Currently {{SSL_CTX_set_timeout}} is called only if {{params->ssl_session_cache}} equals to {{SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER}} but inside openssl's code that timeout is used also for TLS ticket (RFC5077) lifetime hint:
ssl/s3_srvr.c:
{code}
int ssl3_send_newsession_ticket(SSL *s)
...skip...
/* Ticket lifetime hint (advisory only):
* We leave this unspecified for resumed session (for simplicity),
* and guess that tickets for new sessions will live as long
* as their sessions. */
l2n(s->hit ? 0 : s->session->timeout, p);
...skip...
{code}
so we should probably set it even if {{ssl_session_cache}} is disabled.
> SSL_CTX_set_timeout should be set even if Server Side Session Cache is disabled
> -------------------------------------------------------------------------------
>
> Key: TS-3092
> URL: https://issues.apache.org/jira/browse/TS-3092
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Alexey Ivanov
>
> Currently {{SSL_CTX_set_timeout}} is called only if {{params->ssl_session_cache}} equals to {{SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER}} but inside openssl's code that timeout is used also for TLS ticket (RFC5077) lifetime hint:
> ssl/s3_srvr.c:
> {code}
> int ssl3_send_newsession_ticket(SSL *s)
> ...skip...
> /* Ticket lifetime hint (advisory only):
> * We leave this unspecified for resumed session (for simplicity),
> * and guess that tickets for new sessions will live as long
> * as their sessions. */
> l2n(s->hit ? 0 : s->session->timeout, p);
> ...skip...
> {code}
> so we should probably set it even if {{ssl_session_cache}} is disabled.
> UPDATE: nginx has been doing this for almost a year: http://hg.nginx.org/nginx/rev/767aa37f12de
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)