Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-2557

Adopt resumable TLS session API

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: sometime
    • Component/s: Security, SSL
    • Labels:
      None

      Description

      In OpenSSL 1.1.0 adds a new callback API for applications to control whether the TLS session should be cached or not.

      void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
      void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))

      for use by SSL/TLS servers; the callback function will be called whenever a
      new session is created, and gets to decide whether the session may be
      cached to make it resumable (return 0) or not (return 1). (As by the
      SSL/TLS protocol specifications, the session_id sent by the server will be
      empty to indicate that the session is not resumable; also, the server will
      not generate RFC 4507 (RFC 5077) session tickets.)

      A simple reasonable callback implementation is to return is_forward_secure.
      This parameter will be set to 1 or 0 depending on the ciphersuite selected
      by the SSL/TLS server library, indicating whether it can provide forward
      security.

      This seems like a useful sort of option.

        Attachments

          Activity

            People

            • Assignee:
              shinrich Susan Hinrichs
              Reporter:
              jamespeach James Peach
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: