diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2009-01-26 14:36:18 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2009-01-26 14:36:18 +0000 |
| commit | 8fa8df95fb10d8aede9f3e40300865d06b8ad204 (patch) | |
| tree | 73a2f0a3bf2b06c077f6e6e0b498e6b974f75509 /lib | |
| parent | 82ca52713bbb7b31e5d269e7f50dbc0cd065a297 (diff) | |
- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
disable "rfc4507bis session ticket support". rfc4507bis was later turned
into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
The enabled extension concerns the session management. I wonder how often
libcurl stops a connection and then resumes a TLS session. also, sending the
session data is some overhead. .I suggest that you just use your proposed
patch (which explicitly disables TICKET).
If someone writes an application with libcurl and openssl who wants to
enable the feature, one can do this in the SSL callback.
Sharad Gupta brought this to my attention. Peter Sylvester helped me decide
on the proper action.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssluse.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c index ec3c53157..cb2a2163d 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -1385,8 +1385,28 @@ ossl_connect_step1(struct connectdata *conn, enable the bug workaround options if compatibility with somewhat broken implementations is desired." + The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to + disable "rfc4507bis session ticket support". rfc4507bis was later turned + into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077 + + The enabled extension concerns the session management. I wonder how often + libcurl stops a connection and then resumes a TLS session. also, sending + the session data is some overhead. .I suggest that you just use your + proposed patch (which explicitly disables TICKET). + + If someone writes an application with libcurl and openssl who wants to + enable the feature, one can do this in the SSL callback. + */ - SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL); +#ifdef SSL_OP_NO_TICKET + /* expect older openssl releases to not have this define so only use it if + present */ +#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET +#else +#define CURL_CTX_OPTIONS SSL_OP_ALL +#endif + + SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) |