57391 – Allow TLS Session Tickets to be disabled

Bug 57391 - Allow TLS Session Tickets to be disabled

Summary: Allow TLS Session Tickets to be disabled

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	8.0.x-trunk
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-12-22 21:27 UTC by Josiah Purtlebaugh
Modified:	2014-12-23 10:16 UTC (History)
CC List:	0 users

Attachments
svn diff output (4.36 KB, text/plain) 2014-12-22 21:27 UTC, Josiah Purtlebaugh	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josiah Purtlebaugh 2014-12-22 21:27:07 UTC

Created attachment 32322 [details]
svn diff output

OpenSSL contexts support the SSL_OP_NO_TICKET option as of OpenSSL 1.0.0 that disables the use of TLS Session Tickets (RRC 4507) in order to protect perfect forward secrecy. The APR connector should support the ability to enable/disable this functionality at runtime.

With 'SSLDisableSessionTickets' omitted or set to false:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: FE4BF00CC4B357A046F5A0EDDDF874C3194FB10453480986E9B798028DCC1FB1
    Session-ID-ctx: 
    Master-Key: 65F45CFC648ADCAFB84026B702C800D18E05F7DB27618D2E036308F95AE479C7428D006D2CB4A68342FD23F39099C291
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7d 37 a8 08 28 98 ff 9f-0d 74 bb 2c 04 90 cf 7b   }7..(....t.,...{
    0010 - 23 34 11 49 4e db c4 04-4a e3 9e 76 06 59 10 5f   #4.IN...J..v.Y._
    0020 - c6 c4 05 4e f2 76 f6 d4-3e a2 a5 ec e4 51 e9 15   ...N.v..>....Q..
    0030 - 6d 71 ba 19 2e b7 b1 79-a2 13 3e 4d f4 08 a7 94   mq.....y..>M....
    0040 - 2f ab 77 2a 92 03 04 12-a0 8a 7e 24 c3 de b1 64   /.w*......~$...d
    0050 - fd b9 ba 0b bd 8e 0d b9-99 0e 86 f4 16 a0 9d ad   ................
    0060 - 99 78 26 eb 59 30 9f 69-93 d4 17 95 99 70 c1 e1   .x&.Y0.i.....p..
    0070 - b8 2e fc 6e d0 ca af f6-10 37 05 73 92 49 2e e4   ...n.....7.s.I..
    0080 - 22 e5 9c db 10 f2 2a 59-3e a2 a1 15 fb c3 07 06   ".....*Y>.......
    0090 - 17 9b e9 f4 cd 89 14 43-c3 40 eb 8b b5 c7 e7 e1   .......C.@......
    00a0 - ce ec c8 39 46 de ae 98-bc 5b c9 3f 55 a5 e9 31   ...9F....[.?U..1

With 'SSLDisableSessionTickets' set to true:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 019AE5FB556C2D52857B711395E19EAA5B580C704EB43B2787AD72FDE5077F81
    Session-ID-ctx: 
    Master-Key: 22C1A1DDB686D745F456DB6E1DCC2C38D3F651B483C2F2CCC280E9D8A148B20CE65475862F058E099C6B34FCEA7BC295
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1419283439
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)

Versions:
CentOS release 6.5 (Final)
OpenSSL 1.0.1e-fips 11 Feb 2013
Tomcat 8.x trunk

Comment 1 Mark Thomas 2014-12-23 10:16:50 UTC

Many thanks for the bug report and the patch.

The patch has been applied to trunk and 8.0.x (for 8.0.16 onwards).