On Thu, 22 Jan 2009, Sharad Gupta wrote:

> Are there any plans on being able to pass the "-no_ticket" option that has
> been introduced in Openssl0.9.8j? Its basically a flag to disable TLS
> extensions which are enabled by default in 0.9.8j release of OpenSSL.

I had trouble finding info on this topic, so I thought I might help others by
mentioning that -no_ticket disables "rfc4507bis session ticket support".
rfc4507bis was later turned into the proper RFC5077 it seems:

         http://tools.ietf.org/html/rfc5077

> If I try to use the new openssl library with curl, I am not able to connect
> to SSL enabled HTTP sites using TLSv1. I can only use SSLv3 in that case.
> And as it stands, there is no way that I can tell curl to pass the
> "no_ticket" option to openssl.

Ironicly enough it seems servers using older openssl 0.9.7 versions are
showing this problem.

If I understand things right, the following is a work-around:

diff -u -r1.214 ssluse.c
--- lib/ssluse.c 21 Jan 2009 04:42:47 -0000 1.214
+++ lib/ssluse.c 22 Jan 2009 18:51:03 -0000
@@ -1386,7 +1386,7 @@
       implementations is desired."

    */
- SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL);
+ SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL|SSL_OP_NO_TICKET);

    /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
    if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html