On 17/03/14 11:08, Steffan Karger wrote: > Hi, > >> -----Original Message----- >> From: Gert Doering [mailto:g...@greenie.muc.de] >> Sent: maandag 17 maart 2014 9:34 >> Subject: Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL >> context for OpenSSL builds, to disable TLS stateless session >> resumption. >> >> Hi, >> >> On Sun, Mar 16, 2014 at 06:49:36PM -0600, James Yonan wrote: >>> OpenVPN doesn't want or need SSL session renegotiation or resumption, >>> as it handles renegotiation on its own. >>> >>> For this reason, OpenVPN always disables the SSL session cache: >>> >>> SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF) >>> >>> However, even with the above code, stateless session resumption is >>> still possible unless explicitly disabled with the SSL_OP_NO_TICKET >>> flag. This patch does this. >> >> I assume this should go into all OpenVPN branches, that is, master, >> 2.3, and if we ever do another 2.2, into that one as well? >> >> (not ACKing or NAKing the patch itself, this is not my field of >> expertise) > > I think this should go into all releases we'll do from now on. > > Also, ACK on the patch. Together with SSL_SESS_CACHE_OFF, this seems > to fully disable TLS session renegotiation and resumption.
This patch only covers OpenSSL. Is there an equivalent for PolarSSL as well? Or isn't it needed at all on PolarSSL? -- kind regards, David Sommerseth
signature.asc
Description: OpenPGP digital signature
