Explicitly disable OpenSSL TLS session resumption

2 files changed, 7 insertions, 0 deletions

diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp
index fec11c9d18e..c87dc1d2148 100644
--- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp
+++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp
@@ -209,6 +209,7 @@ OpenSslTlsContextImpl::OpenSslTlsContextImpl(
     enable_ephemeral_key_exchange();
     disable_compression();
     disable_renegotiation();
+    disable_session_resumption();
     enforce_peer_certificate_verification();
     set_ssl_ctx_self_reference();
     if (!ts_opts.accepted_ciphers().empty()) {
@@ -321,6 +322,11 @@ void OpenSslTlsContextImpl::disable_renegotiation() {
 #endif
 }
 
+void OpenSslTlsContextImpl::disable_session_resumption() {
+    SSL_CTX_set_session_cache_mode(_ctx.get(), SSL_SESS_CACHE_OFF);
+    SSL_CTX_set_options(_ctx.get(), SSL_OP_NO_TICKET);
+}
+
 namespace {
 
 // There's no good reason for entries to contain embedded nulls, aside from
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h
index c5444dc702e..31814dad8ba 100644
--- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h
+++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h
@@ -41,6 +41,7 @@ private:
     // the connection if it's attempted by the peer), but this should signal
     // explicitly to the peer that it's not a supported action.
     void disable_renegotiation();
+    void disable_session_resumption();
     void enforce_peer_certificate_verification();
     void set_ssl_ctx_self_reference();
     void set_accepted_cipher_suites(const std::vector<vespalib::string>& ciphers);