diff options
author | Tor Brede Vekterli <vekterli@verizonmedia.com> | 2019-02-27 15:24:18 +0000 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@verizonmedia.com> | 2019-02-27 15:24:18 +0000 |
commit | e5c34db05cd7890db31c338eb48865cf6cbef6c6 (patch) | |
tree | c11b1a38d3cbaa89182deed5ba9a84001075e078 /vespalib | |
parent | c29008fc2e44a77e49792a97939b433d3ad005f0 (diff) |
Explicitly disable OpenSSL TLS session resumption
Diffstat (limited to 'vespalib')
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp | 6 | ||||
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h | 1 |
2 files changed, 7 insertions, 0 deletions
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp index fec11c9d18e..c87dc1d2148 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp @@ -209,6 +209,7 @@ OpenSslTlsContextImpl::OpenSslTlsContextImpl( enable_ephemeral_key_exchange(); disable_compression(); disable_renegotiation(); + disable_session_resumption(); enforce_peer_certificate_verification(); set_ssl_ctx_self_reference(); if (!ts_opts.accepted_ciphers().empty()) { @@ -321,6 +322,11 @@ void OpenSslTlsContextImpl::disable_renegotiation() { #endif } +void OpenSslTlsContextImpl::disable_session_resumption() { + SSL_CTX_set_session_cache_mode(_ctx.get(), SSL_SESS_CACHE_OFF); + SSL_CTX_set_options(_ctx.get(), SSL_OP_NO_TICKET); +} + namespace { // There's no good reason for entries to contain embedded nulls, aside from diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h index c5444dc702e..31814dad8ba 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h @@ -41,6 +41,7 @@ private: // the connection if it's attempted by the peer), but this should signal // explicitly to the peer that it's not a supported action. void disable_renegotiation(); + void disable_session_resumption(); void enforce_peer_certificate_verification(); void set_ssl_ctx_self_reference(); void set_accepted_cipher_suites(const std::vector<vespalib::string>& ciphers); |