Bug 57391 - Allow TLS Session Tickets to be disabled
Allow TLS Session Tickets to be disabled
Status: RESOLVED FIXED
Product: Tomcat 8
Classification: Unclassified
Component: Connectors
8.0.x-trunk
PC Linux
: P2 normal (vote)
: ----
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2014-12-22 21:27 UTC by Josiah Purtlebaugh
Modified: 2014-12-23 10:16 UTC (History)
0 users



Attachments
svn diff output (4.36 KB, text/plain)
2014-12-22 21:27 UTC, Josiah Purtlebaugh
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Josiah Purtlebaugh 2014-12-22 21:27:07 UTC
Created attachment 32322 [details]
svn diff output

OpenSSL contexts support the SSL_OP_NO_TICKET option as of OpenSSL 1.0.0 that disables the use of TLS Session Tickets (RRC 4507) in order to protect perfect forward secrecy. The APR connector should support the ability to enable/disable this functionality at runtime.

With 'SSLDisableSessionTickets' omitted or set to false:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: FE4BF00CC4B357A046F5A0EDDDF874C3194FB10453480986E9B798028DCC1FB1
    Session-ID-ctx: 
    Master-Key: 65F45CFC648ADCAFB84026B702C800D18E05F7DB27618D2E036308F95AE479C7428D006D2CB4A68342FD23F39099C291
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 7d 37 a8 08 28 98 ff 9f-0d 74 bb 2c 04 90 cf 7b   }7..(....t.,...{
    0010 - 23 34 11 49 4e db c4 04-4a e3 9e 76 06 59 10 5f   #4.IN...J..v.Y._
    0020 - c6 c4 05 4e f2 76 f6 d4-3e a2 a5 ec e4 51 e9 15   ...N.v..>....Q..
    0030 - 6d 71 ba 19 2e b7 b1 79-a2 13 3e 4d f4 08 a7 94   mq.....y..>M....
    0040 - 2f ab 77 2a 92 03 04 12-a0 8a 7e 24 c3 de b1 64   /.w*......~$...d
    0050 - fd b9 ba 0b bd 8e 0d b9-99 0e 86 f4 16 a0 9d ad   ................
    0060 - 99 78 26 eb 59 30 9f 69-93 d4 17 95 99 70 c1 e1   .x&.Y0.i.....p..
    0070 - b8 2e fc 6e d0 ca af f6-10 37 05 73 92 49 2e e4   ...n.....7.s.I..
    0080 - 22 e5 9c db 10 f2 2a 59-3e a2 a1 15 fb c3 07 06   ".....*Y>.......
    0090 - 17 9b e9 f4 cd 89 14 43-c3 40 eb 8b b5 c7 e7 e1   .......C.@......
    00a0 - ce ec c8 39 46 de ae 98-bc 5b c9 3f 55 a5 e9 31   ...9F....[.?U..1

With 'SSLDisableSessionTickets' set to true:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 019AE5FB556C2D52857B711395E19EAA5B580C704EB43B2787AD72FDE5077F81
    Session-ID-ctx: 
    Master-Key: 22C1A1DDB686D745F456DB6E1DCC2C38D3F651B483C2F2CCC280E9D8A148B20CE65475862F058E099C6B34FCEA7BC295
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1419283439
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)

Versions:
CentOS release 6.5 (Final)
OpenSSL 1.0.1e-fips 11 Feb 2013
Tomcat 8.x trunk
Comment 1 Mark Thomas 2014-12-23 10:16:50 UTC
Many thanks for the bug report and the patch.

The patch has been applied to trunk and 8.0.x (for 8.0.16 onwards).