On Sun, Oct 2, 2011 at 12:20 AM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote: > On 30.09.2011 08:08, Paul Querna wrote: >> Attached is a patch >> <http://people.apache.org/~pquerna/tls_session_ticket_support.patch> >> to add support for setting SSL_CTX_set_tlsext_ticket_keys. >> >> I have two questions: >> >> 1) What is the right ifdef to look for support of this feature? I was >> just using ifdef SSL_CTX_set_tlsext_ticket_keys and it seemed to work >> for me...... > > SSL_CTRL_SET_TLSEXT_TICKET_KEYS and #ifndef OPENSSL_NO_TLSEXT, > respectively - I would suggest wrapping it in the same way as > SSL_CTX_set_tlsext_servername_callback/SSL_CTX_set_tlsext_servername_arg. > > Generally speaking, I agree with Stefan that such keys shouldn't be > stored in config files as (static) plain-text strings. RFC 5077 section > 5.5 lists some recommendations for the management of ticket protection > keys, although it hastens to add that "A full description [...] is > beyond the scope of this document".
I've committed an updated patch that stores the key id, hmac secret, and aes key into a file: <https://svn.apache.org/viewvc?view=revision&revision=1200040> Feedback welcome! Thanks, Paul