Hello, I was looking into enabling TLS session tickets (RFC5077) (which allow session resumption without server-side state), when I noticed that in the OpenSSL code they are explicitly disabled.
I traced this back to commit 8fa8df95 which says: - The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to disable "rfc4507bis session ticket support". rfc4507bis was later turned into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077 The enabled extension concerns the session management. I wonder how often libcurl stops a connection and then resumes a TLS session. also, sending the session data is some overhead. .I suggest that you just use your proposed patch (which explicitly disables TICKET). If someone writes an application with libcurl and openssl who wants to enable the feature, one can do this in the SSL callback. This was in 2009, so I'm wondering if anyone has any interest in enabling this again now. Arguably, from curl's POV, session tickets don't provide much benefit compared to session ids (which curl already supports), but it seems that they are generally preferred by servers and it might be worth adding support for them to curl for server debugging purposes (it's also worth noting that pretty much all browsers support them). Cheers [0] http://tools.ietf.org/html/rfc5077
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html