[TS-3092] SSL_CTX_set_timeout should be set even if Server Side Session Cache is disabled - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.2.0
Component/s: SSL
Labels:
None

Description

Currently SSL_CTX_set_timeout is called only if params->ssl_session_cache equals to SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER but inside openssl's code that timeout is used also for TLS ticket (RFC5077) lifetime hint:

ssl/s3_srvr.c:

int ssl3_send_newsession_ticket(SSL *s)
...skip...
                /* Ticket lifetime hint (advisory only):
                 * We leave this unspecified for resumed session (for simplicity),
                 * and guess that tickets for new sessions will live as long
                 * as their sessions. */
                l2n(s->hit ? 0 : s->session->timeout, p);
...skip...

so we should probably set it even if ssl_session_cache is disabled.

UPDATE: nginx has been doing this for almost a year: http://hg.nginx.org/nginx/rev/767aa37f12de

Attachments

Activity

People

Assignee:: Brian Geffon

Reporter:: Alexey Ivanov

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 22/Sep/14 08:42

Updated:: 18/Dec/14 05:11

Resolved:: 23/Sep/14 23:53