On 28/12/2014 20:08, Christopher Schultz wrote: > Mark, > > On 12/23/14 5:09 AM, ma...@apache.org wrote: >> Author: markt >> Date: Tue Dec 23 10:09:03 2014 >> New Revision: 1647530 >> >> URL: http://svn.apache.org/r1647530 >> Log: >> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57391 >> Allow TLS Session Tickets to be disabled. >> Patch provided by Josiah Purtlebaugh.
<snip/> > I think if the user requests disabled session tickets and the SSL > library doesn't "have" that option-code, we should fail, here, instead > of silently ignoring the request. I believe this is justified based upon > the security implications of the setting. If OpenSSL doesn't support SSL_OP_NO_TICKET then it doesn't support session tickets (the features were added in the same release). Silently ignoring the request to disable a feature that isn't implemented is the right thing to do and there are no security implications. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
