Project

General

Profile

Feature #2758

Option to disable TLS session tickets

Added by Hawk777 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2016-10-25
Due date:
% Done:

0%

Missing in 1.5.x:

Description

It would be nice if there were a way to prevent Lighttpd from using TLS session tickets.

Rationale: https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/

OpenSSL provides SSL_CTX_set_options(SSL_OP_NO_TICKET), but Lighttpd does not provide any way to set this option in its configuration file. Lighttpd does not appear to register any special ticket handling functionality with OpenSSL either, which means OpenSSL’s default ticket handling will be used which, as I understand it, means a random ticket encryption key will be generated on server startup and never changed. It would be absolutely ideal if Lighttpd were able to rotate ticket keys, but in the absence of such a large change, disabling tickets is a reasonable workaround (this doesn’t affect session IDs, which will still work, only session tickets).

History

#1 Updated by gstrauss 5 months ago

  • Category set to TLS

Also available in: Atom