Project

General

Profile

Feature #2758

Option to disable TLS session tickets

Added by Hawk777 about 1 year ago. Updated about 1 month ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2016-10-25
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

It would be nice if there were a way to prevent Lighttpd from using TLS session tickets.

Rationale: https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/

OpenSSL provides SSL_CTX_set_options(SSL_OP_NO_TICKET), but Lighttpd does not provide any way to set this option in its configuration file. Lighttpd does not appear to register any special ticket handling functionality with OpenSSL either, which means OpenSSL’s default ticket handling will be used which, as I understand it, means a random ticket encryption key will be generated on server startup and never changed. It would be absolutely ideal if Lighttpd were able to rotate ticket keys, but in the absence of such a large change, disabling tickets is a reasonable workaround (this doesn’t affect session IDs, which will still work, only session tickets).

Associated revisions

Revision c09acbeb (diff)
Added by gstrauss about 1 month ago

[mod_openssl] ssl.openssl.ssl-conf-cmd (fixes #2758)

(similar to Apache mod_ssl SSLOpenSSLConfCmd directive)

(experimental)

This new directive is for use with OpenSSL only, and is not currently
available in LibreSSL.

https://wiki.openssl.org/index.php/Manual:SSL_CONF_cmd(3)

lighttpd takes "file commands" not "command line commands" as
openssl SSL_CONF_cmd() appears to permit only one mode at a time.

lighttpd processes this directive after all other ssl.* directives
have been applied for the $SERVER["socket"] scope.

x-ref:
"Option to disable TLS session tickets"
https://redmine.lighttpd.net/issues/2758
"Allow to selectively disable TLS 1.0, 1.1 and 1.2 versions"
https://github.com/lighttpd/lighttpd1.4/pull/84

github: closes #84

History

#1

Updated by gstrauss about 1 year ago

  • Category set to TLS
#2

Updated by gstrauss about 1 month ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.48
#3

Updated by gstrauss about 1 month ago

#4

Updated by gstrauss about 1 month ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom