Mark, On 12/31/14 12:51 PM, Mark Thomas wrote: > On 28/12/2014 20:08, Christopher Schultz wrote: >> Mark, >> >> On 12/23/14 5:09 AM, ma...@apache.org wrote: >>> Author: markt >>> Date: Tue Dec 23 10:09:03 2014 >>> New Revision: 1647530 >>> >>> URL: http://svn.apache.org/r1647530 >>> Log: >>> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57391 >>> Allow TLS Session Tickets to be disabled. >>> Patch provided by Josiah Purtlebaugh. > > <snip/> > >> I think if the user requests disabled session tickets and the SSL >> library doesn't "have" that option-code, we should fail, here, instead >> of silently ignoring the request. I believe this is justified based upon >> the security implications of the setting. > > If OpenSSL doesn't support SSL_OP_NO_TICKET then it doesn't support > session tickets (the features were added in the same release). Silently > ignoring the request to disable a feature that isn't implemented is the > right thing to do and there are no security implications.
Thanks for the clarification. Of course you are right. -chris
signature.asc
Description: OpenPGP digital signature
