Option to disable TLS session tickets
It would be nice if there were a way to prevent Lighttpd from using TLS session tickets.
OpenSSL provides SSL_CTX_set_options(SSL_OP_NO_TICKET), but Lighttpd does not provide any way to set this option in its configuration file. Lighttpd does not appear to register any special ticket handling functionality with OpenSSL either, which means OpenSSL’s default ticket handling will be used which, as I understand it, means a random ticket encryption key will be generated on server startup and never changed. It would be absolutely ideal if Lighttpd were able to rotate ticket keys, but in the absence of such a large change, disabling tickets is a reasonable workaround (this doesn’t affect session IDs, which will still work, only session tickets).
[mod_openssl] ssl.openssl.ssl-conf-cmd (fixes #2758)
(similar to Apache mod_ssl SSLOpenSSLConfCmd directive)
This new directive is for use with OpenSSL only, and is not currently
available in LibreSSL.
lighttpd takes "file commands" not "command line commands" as
openssl SSL_CONF_cmd() appears to permit only one mode at a time.
lighttpd processes this directive after all other ssl.* directives
have been applied for the $SERVER["socket"] scope.
github: closes #84
Updated by gstrauss about 1 year ago
See https://github.com/gstrauss/lighttpd1.4/commit/c09acbeb8a030942d9825b3d0dd01c84e0a0b919 for experimental ssl.openssl.ssl-conf-cmd directive
Also available in: Atom