diff options
| -rw-r--r-- | CHANGES | 15 | ||||
| -rw-r--r-- | RELEASE-NOTES | 5 | ||||
| -rw-r--r-- | lib/ssluse.c | 24 |
3 files changed, 41 insertions, 3 deletions
@@ -7,6 +7,21 @@ Changelog Daniel Stenberg (26 Jan 2009) +- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to + disable "rfc4507bis session ticket support". rfc4507bis was later turned + into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077 + + The enabled extension concerns the session management. I wonder how often + libcurl stops a connection and then resumes a TLS session. also, sending the + session data is some overhead. .I suggest that you just use your proposed + patch (which explicitly disables TICKET). + + If someone writes an application with libcurl and openssl who wants to + enable the feature, one can do this in the SSL callback. + + Sharad Gupta brought this to my attention. Peter Sylvester helped me decide + on the proper action. + - Alexey Borzov filed bug report #2535504 (http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with quoted quotation marks in HTTP Digest headers didn't work. I've now added diff --git a/RELEASE-NOTES b/RELEASE-NOTES index a54f611cb..2bafd5a32 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -10,6 +10,8 @@ Curl and libcurl 7.19.4 This release includes the following changes: o Added CURLOPT_NOPROXY and the corresponding --noproxy + o the OpenSSL-specific code disables TICKET (rfc5077) which is enabled by default + in openssl 0.9.8j This release includes the following bugfixes: @@ -24,6 +26,7 @@ This release includes the following known bugs: This release would not have looked like this without help, code, reports and advice from friends like these: - Lisa Xu, Daniel Fandrich, Craig A West, Alexey Borzov + Lisa Xu, Daniel Fandrich, Craig A West, Alexey Borzov, Sharad Gupta, + Peter Sylvester Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/ssluse.c b/lib/ssluse.c index ec3c53157..cb2a2163d 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -1385,8 +1385,28 @@ ossl_connect_step1(struct connectdata *conn, enable the bug workaround options if compatibility with somewhat broken implementations is desired." + The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to + disable "rfc4507bis session ticket support". rfc4507bis was later turned + into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077 + + The enabled extension concerns the session management. I wonder how often + libcurl stops a connection and then resumes a TLS session. also, sending + the session data is some overhead. .I suggest that you just use your + proposed patch (which explicitly disables TICKET). + + If someone writes an application with libcurl and openssl who wants to + enable the feature, one can do this in the SSL callback. + */ - SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL); +#ifdef SSL_OP_NO_TICKET + /* expect older openssl releases to not have this define so only use it if + present */ +#define CURL_CTX_OPTIONS SSL_OP_ALL|SSL_OP_NO_TICKET +#else +#define CURL_CTX_OPTIONS SSL_OP_ALL +#endif + + SSL_CTX_set_options(connssl->ctx, CURL_CTX_OPTIONS); /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) |