Option to disable TLS session tickets
It would be nice if there were a way to prevent Lighttpd from using TLS session tickets.
OpenSSL provides SSL_CTX_set_options(SSL_OP_NO_TICKET), but Lighttpd does not provide any way to set this option in its configuration file. Lighttpd does not appear to register any special ticket handling functionality with OpenSSL either, which means OpenSSL’s default ticket handling will be used which, as I understand it, means a random ticket encryption key will be generated on server startup and never changed. It would be absolutely ideal if Lighttpd were able to rotate ticket keys, but in the absence of such a large change, disabling tickets is a reasonable workaround (this doesn’t affect session IDs, which will still work, only session tickets).
Also available in: Atom