Welcome! Log In Create A New Profile

Advanced

[PATCH] Add ssl_session_ticket option to enable / disable session tickets

Dirkjan Bussink
January 04, 2014 06:32AM
# HG changeset patch
# User Dirkjan Bussink <d.bussink@gmail.com>
# Date 1388832057 0
# Node ID b236387415f02c6b5874aca5aadd216028edbe00
# Parent 4aa64f6950313311e0d322a2af1788edeb7f036c
Add ssl_session_ticket option to enable / disable session tickets

This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either session
tickets have to be reloaded by restarting nginx regularly, or by
disabling session tickets.

If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.

diff -r 4aa64f695031 -r b236387415f0 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Sat Jan 04 03:32:22 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Sat Jan 04 10:40:57 2014 +0000
@@ -160,6 +160,13 @@
0,
NULL },

+ { ngx_string("ssl_session_ticket"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, session_ticket),
+ NULL },
+
{ ngx_string("ssl_session_ticket_key"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_array_slot,
@@ -436,6 +443,7 @@
sscf->verify_depth = NGX_CONF_UNSET_UINT;
sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET;
+ sscf->session_ticket = NGX_CONF_UNSET;
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
@@ -644,6 +652,14 @@
return NGX_CONF_ERROR;
}

+ ngx_conf_merge_value(conf->session_ticket, prev->session_ticket, 1);
+
+#ifdef SSL_OP_NO_TICKET
+ if (!conf->session_ticket) {
+ SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
+ }
+#endif
+
ngx_conf_merge_ptr_value(conf->session_ticket_keys,
prev->session_ticket_keys, NULL);

diff -r 4aa64f695031 -r b236387415f0 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Sat Jan 04 03:32:22 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.h Sat Jan 04 10:40:57 2014 +0000
@@ -44,6 +44,7 @@

ngx_shm_zone_t *shm_zone;

+ ngx_flag_t session_ticket;
ngx_array_t *session_ticket_keys;

ngx_flag_t stapling;
diff -r 4aa64f695031 -r b236387415f0 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Sat Jan 04 03:32:22 2014 +0400
+++ b/src/mail/ngx_mail_ssl_module.c Sat Jan 04 10:40:57 2014 +0000
@@ -116,6 +116,13 @@
0,
NULL },

+ { ngx_string("ssl_session_ticket"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, session_ticket),
+ NULL },
+
{ ngx_string("ssl_session_ticket_key"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_array_slot,
@@ -191,6 +198,7 @@
scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->builtin_session_cache = NGX_CONF_UNSET;
scf->session_timeout = NGX_CONF_UNSET;
+ scf->session_ticket = NGX_CONF_UNSET;
scf->session_ticket_keys = NGX_CONF_UNSET_PTR;

return scf;
@@ -339,6 +347,15 @@
return NGX_CONF_ERROR;
}

+ ngx_conf_merge_value(conf->session_ticket,
+ prev->session_ticket, 1);
+
+#ifdef SSL_OP_NO_TICKET
+ if (!conf->session_ticket) {
+ SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
+ }
+#endif
+
ngx_conf_merge_ptr_value(conf->session_ticket_keys,
prev->session_ticket_keys, NULL);

diff -r 4aa64f695031 -r b236387415f0 src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h Sat Jan 04 03:32:22 2014 +0400
+++ b/src/mail/ngx_mail_ssl_module.h Sat Jan 04 10:40:57 2014 +0000
@@ -41,6 +41,7 @@

ngx_shm_zone_t *shm_zone;

+ ngx_flag_t session_ticket;
ngx_array_t *session_ticket_keys;

u_char *file;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Add ssl_session_ticket option to enable / disable session tickets

Dirkjan Bussink 1011 January 04, 2014 06:32AM

Re: [PATCH] Add ssl_session_ticket option to enable / disable session tickets

Maxim Dounin 418 January 09, 2014 11:48AM

Re: [PATCH] Add ssl_session_ticket option to enable / disable session tickets

Dirkjan Bussink 355 January 10, 2014 09:50AM

Re: [PATCH] Add ssl_session_ticket option to enable / disable session tickets

Dirkjan Bussink 392 January 10, 2014 10:24AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 132
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready