- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to (8fa8df95) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

CHANGES

+15 −0

Original line number	Diff line number	Diff line
		@@ -7,6 +7,21 @@
		Changelog

		Daniel Stenberg (26 Jan 2009)
		- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
		disable "rfc4507bis session ticket support". rfc4507bis was later turned
		into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077

		The enabled extension concerns the session management. I wonder how often
		libcurl stops a connection and then resumes a TLS session. also, sending the
		session data is some overhead. .I suggest that you just use your proposed
		patch (which explicitly disables TICKET).

		If someone writes an application with libcurl and openssl who wants to
		enable the feature, one can do this in the SSL callback.

		Sharad Gupta brought this to my attention. Peter Sylvester helped me decide
		on the proper action.

		- Alexey Borzov filed bug report #2535504
		(http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with
		quoted quotation marks in HTTP Digest headers didn't work. I've now added

RELEASE-NOTES

+4 −1

Original line number	Diff line number	Diff line
		@@ -10,6 +10,8 @@ Curl and libcurl 7.19.4
		This release includes the following changes:

		o Added CURLOPT_NOPROXY and the corresponding --noproxy
		o the OpenSSL-specific code disables TICKET (rfc5077) which is enabled by default
		in openssl 0.9.8j

		This release includes the following bugfixes:

		@@ -24,6 +26,7 @@ This release includes the following known bugs:
		This release would not have looked like this without help, code, reports and
		advice from friends like these:

		Lisa Xu, Daniel Fandrich, Craig A West, Alexey Borzov
		Lisa Xu, Daniel Fandrich, Craig A West, Alexey Borzov, Sharad Gupta,
		Peter Sylvester

		Thanks! (and sorry if I forgot to mention someone)

lib/ssluse.c

+22 −2

Original line number	Diff line number	Diff line
		@@ -5,7 +5,7 @@
		* \| (__\| \|_\| \| _ <\| \|___
		* \___\|\___/\|_\| \_\_____\|
		*
		* Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
		* Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
		*
		* This software is licensed as described in the file COPYING, which
		* you should have received as part of this distribution. The terms
		@@ -1385,8 +1385,28 @@ ossl_connect_step1(struct connectdata *conn,
		enable the bug workaround options if compatibility with somewhat broken
		implementations is desired."

		The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
		disable "rfc4507bis session ticket support". rfc4507bis was later turned
		into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077

		The enabled extension concerns the session management. I wonder how often
		libcurl stops a connection and then resumes a TLS session. also, sending
		the session data is some overhead. .I suggest that you just use your
		proposed patch (which explicitly disables TICKET).

		If someone writes an application with libcurl and openssl who wants to
		enable the feature, one can do this in the SSL callback.

		*/
		SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
		#ifdef SSL_OP_NO_TICKET
		/* expect older openssl releases to not have this define so only use it if
		present */
		#define CURL_CTX_OPTIONS SSL_OP_ALL\|SSL_OP_NO_TICKET
		#else
		#define CURL_CTX_OPTIONS SSL_OP_ALL
		#endif

		SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS);

		/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
		if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)