[ https://issues.apache.org/jira/browse/TS-3092?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexey Ivanov updated TS-3092: ------------------------------ Description: Currently {{SSL_CTX_set_timeout}} is called only if {{params->ssl_session_cache}} equals to {{SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER}} but inside openssl's code that timeout is used also for TLS ticket (RFC5077) lifetime hint: ssl/s3_srvr.c: {code} int ssl3_send_newsession_ticket(SSL *s) ...skip... /* Ticket lifetime hint (advisory only): * We leave this unspecified for resumed session (for simplicity), * and guess that tickets for new sessions will live as long * as their sessions. */ l2n(s->hit ? 0 : s->session->timeout, p); ...skip... {code} so we should probably set it even if {{ssl_session_cache}} is disabled. UPDATE: nginx has been doing this for almost a year: http://hg.nginx.org/nginx/rev/767aa37f12de was: Currently {{SSL_CTX_set_timeout}} is called only if {{params->ssl_session_cache}} equals to {{SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER}} but inside openssl's code that timeout is used also for TLS ticket (RFC5077) lifetime hint: ssl/s3_srvr.c: {code} int ssl3_send_newsession_ticket(SSL *s) ...skip... /* Ticket lifetime hint (advisory only): * We leave this unspecified for resumed session (for simplicity), * and guess that tickets for new sessions will live as long * as their sessions. */ l2n(s->hit ? 0 : s->session->timeout, p); ...skip... {code} so we should probably set it even if {{ssl_session_cache}} is disabled. > SSL_CTX_set_timeout should be set even if Server Side Session Cache is > disabled > ------------------------------------------------------------------------------- > > Key: TS-3092 > URL: https://issues.apache.org/jira/browse/TS-3092 > Project: Traffic Server > Issue Type: Bug > Components: SSL > Reporter: Alexey Ivanov > > Currently {{SSL_CTX_set_timeout}} is called only if > {{params->ssl_session_cache}} equals to > {{SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER}} but inside openssl's code > that timeout is used also for TLS ticket (RFC5077) lifetime hint: > ssl/s3_srvr.c: > {code} > int ssl3_send_newsession_ticket(SSL *s) > ...skip... > /* Ticket lifetime hint (advisory only): > * We leave this unspecified for resumed session (for > simplicity), > * and guess that tickets for new sessions will live as long > * as their sessions. */ > l2n(s->hit ? 0 : s->session->timeout, p); > ...skip... > {code} > so we should probably set it even if {{ssl_session_cache}} is disabled. > UPDATE: nginx has been doing this for almost a year: > http://hg.nginx.org/nginx/rev/767aa37f12de -- This message was sent by Atlassian JIRA (v6.3.4#6332)