Dr Stephen Henson wrote: > Disabling tickets using SSL_OP_NO_TICKET server side SHOULD work too (does in > my > tests) so I've no idea why that wouldn't in the OPs setup unless the patch > doesn't set it in all contexts. Try placing it right after any call to > SSL_CTX_new().
I'm still a bit puzzled as to why my previously posted patch does not turn off TLS session tickets... there's only one place in mod_ssl where a new context is created, and in my tests, SSL_OP_NO_TICKET was reliably applied (i.e., I didn't see any session tickets on the wire). Maybe there's another issue if tickets are turned off? Kamesh, could you apply the attached patch, for diagnostic purposes (in addition to mod_ssl-disable_tls_tickets.diff), and let us know what "options=" values you see in your ErrorLog? Note that you don't have to increase Apache's LogLevel, the options for any new SSL connection will be logged with "warn" already. Also, it would be helpful to have another capture (with mod_ssl patched like this) where the svn client still fails with a "parse tlsext" error. Thanks. Kaspar
--- httpd-2.2.14/modules/ssl/mod_ssl.c.orig 2009-05-19 13:44:59.000000000 +0200 +++ httpd-2.2.14/modules/ssl/mod_ssl.c 2009-10-24 17:58:20.000000000 +0200 @@ -394,6 +394,9 @@ int ssl_init_ssl_connection(conn_rec *c) return DECLINED; /* XXX */ } + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, + "ssl_init_ssl_connection: options=0x%lx", SSL_get_options(ssl)); + vhost_md5 = ap_md5_binary(c->pool, (unsigned char *)sc->vhost_id, sc->vhost_id_len);