Changeset e9ef72c in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Jun 20, 2016, 2:51:01 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
743e31f
Parents:
5a5032f
git-author:
Thomas Klute <thomas2.klute@…> (06/20/16 13:29:13)
git-committer:
Thomas Klute <thomas2.klute@…> (06/20/16 14:51:01)
Message:

Disable GnuTLSSessionTickets by default as described in handbook

The handbook clearly states that the default value for
GnuTLSSessionTickets is "off", but the actual setting in post config
was the opposite (which matched mod_ssl behavior). The code has been
changed to match documentation.

Additionally the handbook has been expanded regarding session ticket
use and security. The comment about the cache timeout being used for
session ticket expiration has been removed for being plainly wrong.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r5a5032f re9ef72c  
    422422            sc->enabled = GNUTLS_ENABLED_FALSE;
    423423        if (sc->tickets == GNUTLS_ENABLED_UNSET)
    424             sc->tickets = GNUTLS_ENABLED_TRUE;
     424            sc->tickets = GNUTLS_ENABLED_FALSE;
    425425        if (sc->export_certificates_size < 0)
    426426            sc->export_certificates_size = 0;
     
    832832                          gnutls_strerror(err), err);
    833833        /* Initialize Session Tickets */
    834         if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
     834        if (session_ticket_key.data != NULL &&
     835            ctxt->sc->tickets == GNUTLS_ENABLED_TRUE)
    835836        {
    836837            err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);
Note: See TracChangeset for help on using the changeset viewer.