Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57391 Allow TLS Session Tickets to be disabled. Patch provided by Josiah Purtlebaugh. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1647530 13f79535-47bb-0310-9956-ffa450edef68

commit: 02119a8ea7faabe7d6f7d74ef9bd13644ec55a58 [log] [tgz]
author: Mark Thomas <markt@apache.org> Tue Dec 23 10:09:03 2014 +0000
committer: Mark Thomas <markt@apache.org> Tue Dec 23 10:09:03 2014 +0000
tree: e752c250b910dd0ec2dbe332f140b0528aca1f64
parent: 08523f3bd88f9293f479557a8df64f3c092b9725 [diff]
diff --git a/java/org/apache/coyote/http11/Http11AprProtocol.java b/java/org/apache/coyote/http11/Http11AprProtocol.java
index 04333de..3af66dc 100644
--- a/java/org/apache/coyote/http11/Http11AprProtocol.java
+++ b/java/org/apache/coyote/http11/Http11AprProtocol.java

@@ -183,6 +183,13 @@
     public boolean getSSLDisableCompression() { return ((AprEndpoint)getEndpoint()).getSSLDisableCompression(); }
     public void setSSLDisableCompression(boolean disable) { ((AprEndpoint)getEndpoint()).setSSLDisableCompression(disable); }
 
+    /**
+     * Disable TLS Session Tickets (RFC 4507).
+     */
+    public boolean getSSLDisableSessionTickets() { return ((AprEndpoint)getEndpoint()).getSSLDisableSessionTickets(); }
+    public void setSSLDisableSessionTickets(boolean enable) { ((AprEndpoint)getEndpoint()).setSSLDisableSessionTickets(enable); }
+
+
     // ----------------------------------------------------- JMX related methods
 
     @Override

diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
index 3dc7b44..0aea843 100644
--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AprEndpoint.java

@@ -271,6 +271,12 @@
     public String getSSLCARevocationFile() { return SSLCARevocationFile; }
     public void setSSLCARevocationFile(String SSLCARevocationFile) { this.SSLCARevocationFile = SSLCARevocationFile; }
 
+    /**
+     * SSL disable TLS Session Tickets (RFC 4507).
+     */
+    protected boolean SSLDisableSessionTickets = false;
+    public boolean getSSLDisableSessionTickets() { return SSLDisableSessionTickets; }
+    public void setSSLDisableSessionTickets(boolean SSLDisableSessionTickets) { this.SSLDisableSessionTickets = SSLDisableSessionTickets; }
 
     /**
      * SSL verify client.
@@ -576,6 +582,24 @@
                 }
             }
 
+            // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
+            if (SSLDisableSessionTickets) {
+                boolean disableSessionTicketsSupported = false;
+                try {
+                    disableSessionTicketsSupported = SSL.hasOp(SSL.SSL_OP_NO_TICKET);
+                    if (disableSessionTicketsSupported)
+                        SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_TICKET);
+                } catch (UnsatisfiedLinkError e) {
+                    // Ignore
+                }
+
+                if (!disableSessionTicketsSupported) {
+                    // OpenSSL is too old to support TLS Session Tickets.
+                    log.warn(sm.getString("endpoint.warn.noDisableSessionTickets",
+                                          SSL.versionString()));
+                }
+            }
+
             // List the ciphers that the client is permitted to negotiate
             SSLContext.setCipherSuite(sslContext, SSLCipherSuite);
             // Load Server key and certificate

diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index fbe0c9c..299b80c 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties

@@ -19,6 +19,7 @@
 endpoint.err.unexpected=Unexpected error processing socket
 endpoint.warn.noExector=Failed to process socket [{0}] in state [{1}] because the executor had already been shutdown
 endpoint.warn.noDisableCompression='Disable compression' option is not supported by the SSL library {0}
+endpoint.warn.noDisableSessionTickets='Disable TLS Session Tickets' option is not supported by the SSL library {0}
 endpoint.warn.noHonorCipherOrder='Honor cipher order' option is not supported by the SSL library {0}
 endpoint.warn.noInsecureReneg=Secure re-negotiation is not supported by the SSL library {0}
 endpoint.warn.unlockAcceptorFailed=Acceptor thread [{0}] failed to unlock. Forcing hard socket shutdown.

diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 28b2c38..d42c6b2 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml

@@ -1348,6 +1348,11 @@
       "10".</p>
     </attribute>
 
+    <attribute name="SSLDisableSessionTickets" required="false">
+      <p>Disables use of TLS Session Tickets (RFC 4507) if set to
+      <code>true</code>. Default is <code>false</code>.</p>
+    </attribute>
+
   </attributes>
 
   </subsection>
commit	02119a8ea7faabe7d6f7d74ef9bd13644ec55a58	[log] [tgz]
author	Mark Thomas <markt@apache.org>	Tue Dec 23 10:09:03 2014 +0000
committer	Mark Thomas <markt@apache.org>	Tue Dec 23 10:09:03 2014 +0000
tree	e752c250b910dd0ec2dbe332f140b0528aca1f64
parent	08523f3bd88f9293f479557a8df64f3c092b9725 [diff]