Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SSL session ID vs session ticket
324 views
Skip to first unread message
Matthias Meixner
Oct 27, 2011, 8:09:40 AM10/27/11
to
Hello!
When upgrading to version 0.9.8r my system stopped supporting session resumption.
It looks like session tickets are the reason for this.
I was using some external session cache to support session resumption on a cluster
of servers where it should be possible that each server in the cluster can resume
the SSL connection. With the upgrade to version 0.9.8r this stopped working______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Jeffrey Walton
Oct 27, 2011, 9:24:24 AM10/27/11
to
On Thu, Oct 27, 2011 at 8:09 AM, Matthias Meixner
<Matthias...@verifone.com> wrote:
>
> Hello!
>
> When upgrading to version 0.9.8r my system stopped supporting session resumption.
> It looks like session tickets are the reason for this.
>
> I was using some external session cache to support session resumption on a cluster
> of servers where it should be possible that each server in the cluster can resume
> the SSL connection. With the upgrade to version 0.9.8r this stopped working
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
<Matthias...@verifone.com> wrote:
>
> Hello!
>
> When upgrading to version 0.9.8r my system stopped supporting session resumption.
> It looks like session tickets are the reason for this.
>
> I was using some external session cache to support session resumption on a cluster
> of servers where it should be possible that each server in the cluster can resume
> the SSL connection. With the upgrade to version 0.9.8r this stopped working
Richard Könning
Oct 27, 2011, 12:12:17 PM10/27/11
to
Am 27.10.2011 14:09, schrieb Matthias Meixner:
>
> Hello!
>
> When upgrading to version 0.9.8r my system stopped supporting session resumption.
> It looks like session tickets are the reason for this.
>
> I was using some external session cache to support session resumption on a cluster
> of servers where it should be possible that each server in the cluster can resume
> the SSL connection. With the upgrade to version 0.9.8r this stopped working
Try using something like
>
> Hello!
>
> When upgrading to version 0.9.8r my system stopped supporting session resumption.
> It looks like session tickets are the reason for this.
>
> I was using some external session cache to support session resumption on a cluster
> of servers where it should be possible that each server in the cluster can resume
> the SSL connection. With the upgrade to version 0.9.8r this stopped working
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
Ciao,
Richard
Dr. Stephen Henson
Oct 27, 2011, 2:05:08 PM10/27/11
to
On Thu, Oct 27, 2011, Richard Knning wrote:
> Am 27.10.2011 14:09, schrieb Matthias Meixner:
> >
> >Hello!
> >
> >When upgrading to version 0.9.8r my system stopped supporting session resumption.
> >It looks like session tickets are the reason for this.
> >
> >I was using some external session cache to support session resumption on a cluster
> >of servers where it should be possible that each server in the cluster can resume
> >the SSL connection. With the upgrade to version 0.9.8r this stopped working
>
> Try using something like
>
> SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
>
Yes that's the easiest option. Alternatively find a way for the servers to
> Am 27.10.2011 14:09, schrieb Matthias Meixner:
> >
> >Hello!
> >
> >When upgrading to version 0.9.8r my system stopped supporting session resumption.
> >It looks like session tickets are the reason for this.
> >
> >I was using some external session cache to support session resumption on a cluster
> >of servers where it should be possible that each server in the cluster can resume
> >the SSL connection. With the upgrade to version 0.9.8r this stopped working
>
> Try using something like
>
> SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
>
share the same ticket encryption and HMAC keys.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Matthias Meixner
Oct 28, 2011, 2:24:13 AM10/28/11
to
Hello!
it looks like my original EMail has been truncated, therefore, my main questions
were missing.
I had already found option SSL_OP_NO_TICKET but I have some questions regarding
SSL session tickets for which I have not found an answer yet:
Is it OK to simply disable them or does this create some security risks?
What is the advantage of using session tickets instead of session IDs?
Can SSL session tickets be used with some kind of external cache?
Thanks,
Matthias Meixner
-----Ursprüngliche Nachricht-----
Von: owner-ope...@openssl.org [mailto:owner-ope...@openssl.org] Im Auftrag von Richard Könning
Gesendet: Donnerstag, 27. Oktober 2011 18:12
An: openss...@openssl.org
Betreff: Re: SSL session ID vs session ticket
Am 27.10.2011 14:09, schrieb Matthias Meixner:
>
> Hello!
>
> When upgrading to version 0.9.8r my system stopped supporting session resumption.
> It looks like session tickets are the reason for this.
>
> I was using some external session cache to support session resumption
> on a cluster of servers where it should be possible that each server
> in the cluster can resume the SSL connection. With the upgrade to
> version 0.9.8r this stopped working
Try using something like
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
Richard
Dr. Stephen Henson
Oct 28, 2011, 6:55:05 AM10/28/11
to
On Thu, Oct 27, 2011, Matthias Meixner wrote:
>
> Hello!
>
> it looks like my original EMail has been truncated, therefore, my main questions
> were missing.
>
> I had already found option SSL_OP_NO_TICKET but I have some questions regarding
> SSL session tickets for which I have not found an answer yet:
>
> Is it OK to simply disable them or does this create some security risks?
>
It's fine. If you disable them the normal stateful session resumption will be
>
> Hello!
>
> it looks like my original EMail has been truncated, therefore, my main questions
> were missing.
>
> I had already found option SSL_OP_NO_TICKET but I have some questions regarding
> SSL session tickets for which I have not found an answer yet:
>
> Is it OK to simply disable them or does this create some security risks?
>
used.
> What is the advantage of using session tickets instead of session IDs?
>
> Can SSL session tickets be used with some kind of external cache?
>
needs two keys: a symmtric key and an HMAC key. If you have a distributed
server they will all need to share the keys in order to process each others
tickets.
You can use the macros SSL_CTX_get_tlsext_ticket_keys() and
SSL_CTX_set_tlsext_ticket_keys() to do this. There is also a callback
SSL_CTX_set_ticket_key_cb().
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
0 new messages