Changeset e9ef72c in mod_gnutls for src/gnutls_hooks.c

Timestamp:

Jun 20, 2016, 2:51:01 PM (3 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, master, upstream

Children:

743e31f

Parents:

5a5032f

git-author:

Thomas Klute <thomas2.klute@…> (06/20/16 13:29:13)

git-committer:

Thomas Klute <thomas2.klute@…> (06/20/16 14:51:01)

Message:

Disable GnuTLSSessionTickets by default as described in handbook

The handbook clearly states that the default value for
GnuTLSSessionTickets is "off", but the actual setting in post config
was the opposite (which matched mod_ssl behavior). The code has been
changed to match documentation.

Additionally the handbook has been expanded regarding session ticket
use and security. The comment about the cache timeout being used for
session ticket expiration has been removed for being plainly wrong.

File:

• src/gnutls_hooks.c (modified) (2 diffs)

src/gnutls_hooks.c

@@ -422 +422 @@
             sc->enabled = GNUTLS_ENABLED_FALSE;
         if (sc->tickets == GNUTLS_ENABLED_UNSET)
-            sc->tickets = GNUTLS_ENABLED_TRUE;
+            sc->tickets = GNUTLS_ENABLED_FALSE;
         if (sc->export_certificates_size < 0)
             sc->export_certificates_size = 0;
@@ -832 +832 @@
                           gnutls_strerror(err), err);
         /* Initialize Session Tickets */
-        if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0)
+        if (session_ticket_key.data != NULL &&
+            ctxt->sc->tickets == GNUTLS_ENABLED_TRUE)
         {
             err = gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key);