On Thu, Oct 27, 2011, Matthias Meixner wrote: > > Hello! > > it looks like my original EMail has been truncated, therefore, my main > questions > were missing. > > I had already found option SSL_OP_NO_TICKET but I have some questions > regarding > SSL session tickets for which I have not found an answer yet: > > Is it OK to simply disable them or does this create some security risks? >
It's fine. If you disable them the normal stateful session resumption will be used. > What is the advantage of using session tickets instead of session IDs? > The server doesn't need to lookup session information from a cache. > Can SSL session tickets be used with some kind of external cache? > The tickets themselves are stored by clients. In order to use tickets a server needs two keys: a symmtric key and an HMAC key. If you have a distributed server they will all need to share the keys in order to process each others tickets. You can use the macros SSL_CTX_get_tlsext_ticket_keys() and SSL_CTX_set_tlsext_ticket_keys() to do this. There is also a callback SSL_CTX_set_ticket_key_cb(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
