On 30.09.2011 08:08, Paul Querna wrote: > Attached is a patch > <http://people.apache.org/~pquerna/tls_session_ticket_support.patch> > to add support for setting SSL_CTX_set_tlsext_ticket_keys. > > I have two questions: > > 1) What is the right ifdef to look for support of this feature? I was > just using ifdef SSL_CTX_set_tlsext_ticket_keys and it seemed to work > for me......
SSL_CTRL_SET_TLSEXT_TICKET_KEYS and #ifndef OPENSSL_NO_TLSEXT, respectively - I would suggest wrapping it in the same way as SSL_CTX_set_tlsext_servername_callback/SSL_CTX_set_tlsext_servername_arg. Generally speaking, I agree with Stefan that such keys shouldn't be stored in config files as (static) plain-text strings. RFC 5077 section 5.5 lists some recommendations for the management of ticket protection keys, although it hastens to add that "A full description [...] is beyond the scope of this document". Kaspar