Commit 4d78feaa authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Merge r1650310, r1650320 from trunk.


Add SSLSessionTickets (on|off).

It controls the use of TLS session tickets
(RFC 5077). Default is unchanged (on).

Using session tickets without restarting
the web server with an appropriate frequency
(e.g. daily) compromises perfect forward
secrecy.

As long as we do not have a nice key management
there should be a way to deactivate session
tickets.


Fix copy and paste error in docs of new feature.


Committed by: rjung
Reviewed by: ylavic, rjung, gsmith
Backported by: ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1678703 13f79535-47bb-0310-9956-ffa450edef68
parent 8fde7782
Loading
Loading
Loading
Loading
+9 −0
Original line number Diff line number Diff line
                                                         -*- coding: utf-8 -*-
Changes with Apache 2.2.30

  *) mod_ssl: New directive SSLSessionTickets (On|Off).
     The directive controls the use of TLS session tickets (RFC 5077),
     default value is "On" (unchanged behavior).
     Session ticket creation uses a random key created during web
     server startup and recreated during restarts. No other key
     recreation mechanism is available currently. Therefore using session
     tickets without restarting the web server with an appropriate frequency
     (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]

  *) mod_deflate: Define APR_INT32_MAX when it is missing so to be able to
     compile against APR-1.2.x (minimum required version). [Yann Ylavic]

+0 −14
Original line number Diff line number Diff line
@@ -101,20 +101,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
  [ start all new proposals below, under PATCHES PROPOSED. ]

   * mod_ssl: Add SSLSessionTickets (on|off). [Rainer Jung]
     It controls the use of TLS session tickets (RFC 5077).
     Default is unchanged (on).
     Using session tickets without restarting the web server with
     an appropriate frequency (e.g. daily) compromises perfect forward
     secrecy. As long as we do not have a nice key management
     there needs to be a way to deactivate the use of session tickets.
     trunk patch: http://svn.apache.org/r1650310
                  http://svn.apache.org/r1650320
     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-SSLSessionTickets-v2.patch
     +1: ylavic, rjung, gsmith
     rjung: Adjust compatibility note in docs.
     ylavic: Done, thanks.

   * mod_log_config: Add new format flag for requestion duration in milliseconds
     trunk patch: http://svn.apache.org/r1675533
     2.2.x patch: https://people.apache.org/~breser/httpd/2.2.x/patches/httpd-2.2.x-req_duration_milliseconds.patch (modulo CHANGES)
+20 −0
Original line number Diff line number Diff line
@@ -1926,5 +1926,25 @@ CRIME attack).</p>
</usage>
</directivesynopsis>

<directivesynopsis>
<name>SSLSessionTickets</name>
<description>Enable or disable use of TLS session tickets</description>
<syntax>SSLSessionTickets on|off</syntax>
<default>SSLSessionTickets on</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<compatibility>Available in httpd 2.2.30 and later, if using OpenSSL 0.9.8f
or later.</compatibility>

<usage>
<p>This directive allows to enable or disable the use of TLS session tickets
(RFC 5077).</p>
<note type="warning">
<p>TLS session tickets are enabled by default. Using them without restarting
the web server with an appropriate frequency (e.g. daily) compromises perfect
forward secrecy.</p>
</note>
</usage>
</directivesynopsis>

</modulesynopsis>
+3 −0
Original line number Diff line number Diff line
@@ -159,6 +159,9 @@ static const command_rec ssl_config_cmds[] = {
    SSL_CMD_SRV(Compression, FLAG,
                "Enable SSL level compression"
                "(`on', `off')")
    SSL_CMD_SRV(SessionTickets, FLAG,
                "Enable or disable TLS session tickets"
                "(`on', `off')")
    SSL_CMD_SRV(InsecureRenegotiation, FLAG,
                "Enable support for insecure renegotiation")
    SSL_CMD_ALL(UserName, TAKE1,
+13 −0
Original line number Diff line number Diff line
@@ -183,6 +183,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
#ifndef OPENSSL_NO_COMP
    sc->compression            = UNSET;
#endif
    sc->session_tickets        = UNSET;

    modssl_ctx_init_proxy(sc, p);

@@ -284,6 +285,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
#ifndef OPENSSL_NO_COMP
    cfgMergeBool(compression);
#endif
    cfgMergeBool(session_tickets);

    modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);

@@ -745,6 +747,17 @@ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
#endif
}

const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
#ifndef SSL_OP_NO_TICKET
    return "This version of OpenSSL does not support using "
           "SSLSessionTickets.";
#endif
    sc->session_tickets = flag ? TRUE : FALSE;
    return NULL;
}

const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag)
{
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
Loading