[PATCH] Add ssl_session_ticket option to enable / disable session tickets
Dirkjan Bussink
d.bussink at gmail.com
Sat Jan 4 11:30:53 UTC 2014
# HG changeset patch
# User Dirkjan Bussink <d.bussink at gmail.com>
# Date 1388832057 0
# Node ID b236387415f02c6b5874aca5aadd216028edbe00
# Parent 4aa64f6950313311e0d322a2af1788edeb7f036c
Add ssl_session_ticket option to enable / disable session tickets
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either session
tickets have to be reloaded by restarting nginx regularly, or by
disabling session tickets.
If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
diff -r 4aa64f695031 -r b236387415f0 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Sat Jan 04 03:32:22 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Sat Jan 04 10:40:57 2014 +0000
@@ -160,6 +160,13 @@
0,
NULL },
+ { ngx_string("ssl_session_ticket"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, session_ticket),
+ NULL },
+
{ ngx_string("ssl_session_ticket_key"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_array_slot,
@@ -436,6 +443,7 @@
sscf->verify_depth = NGX_CONF_UNSET_UINT;
sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET;
+ sscf->session_ticket = NGX_CONF_UNSET;
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
@@ -644,6 +652,14 @@
return NGX_CONF_ERROR;
}
+ ngx_conf_merge_value(conf->session_ticket, prev->session_ticket, 1);
+
+#ifdef SSL_OP_NO_TICKET
+ if (!conf->session_ticket) {
+ SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
+ }
+#endif
+
ngx_conf_merge_ptr_value(conf->session_ticket_keys,
prev->session_ticket_keys, NULL);
diff -r 4aa64f695031 -r b236387415f0 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Sat Jan 04 03:32:22 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.h Sat Jan 04 10:40:57 2014 +0000
@@ -44,6 +44,7 @@
ngx_shm_zone_t *shm_zone;
+ ngx_flag_t session_ticket;
ngx_array_t *session_ticket_keys;
ngx_flag_t stapling;
diff -r 4aa64f695031 -r b236387415f0 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Sat Jan 04 03:32:22 2014 +0400
+++ b/src/mail/ngx_mail_ssl_module.c Sat Jan 04 10:40:57 2014 +0000
@@ -116,6 +116,13 @@
0,
NULL },
+ { ngx_string("ssl_session_ticket"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, session_ticket),
+ NULL },
+
{ ngx_string("ssl_session_ticket_key"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_array_slot,
@@ -191,6 +198,7 @@
scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->builtin_session_cache = NGX_CONF_UNSET;
scf->session_timeout = NGX_CONF_UNSET;
+ scf->session_ticket = NGX_CONF_UNSET;
scf->session_ticket_keys = NGX_CONF_UNSET_PTR;
return scf;
@@ -339,6 +347,15 @@
return NGX_CONF_ERROR;
}
+ ngx_conf_merge_value(conf->session_ticket,
+ prev->session_ticket, 1);
+
+#ifdef SSL_OP_NO_TICKET
+ if (!conf->session_ticket) {
+ SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_NO_TICKET);
+ }
+#endif
+
ngx_conf_merge_ptr_value(conf->session_ticket_keys,
prev->session_ticket_keys, NULL);
diff -r 4aa64f695031 -r b236387415f0 src/mail/ngx_mail_ssl_module.h
--- a/src/mail/ngx_mail_ssl_module.h Sat Jan 04 03:32:22 2014 +0400
+++ b/src/mail/ngx_mail_ssl_module.h Sat Jan 04 10:40:57 2014 +0000
@@ -41,6 +41,7 @@
ngx_shm_zone_t *shm_zone;
+ ngx_flag_t session_ticket;
ngx_array_t *session_ticket_keys;
u_char *file;
More information about the nginx-devel
mailing list