cURL / Mailing Lists / curl-library / Single Mail

curl-library

[RFC] TLS Session Tickets

From: Alessandro Ghedini <alessandro_at_ghedini.me>
Date: Mon, 16 Feb 2015 20:57:58 +0100

Hello,

I was looking into enabling TLS session tickets (RFC5077) (which allow session
resumption without server-side state), when I noticed that in the OpenSSL code
they are explicitly disabled.

I traced this back to commit 8fa8df95 which says:

    - The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
      disable "rfc4507bis session ticket support". rfc4507bis was later turned
      into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
    
      The enabled extension concerns the session management. I wonder how often
      libcurl stops a connection and then resumes a TLS session. also, sending the
      session data is some overhead. .I suggest that you just use your proposed
      patch (which explicitly disables TICKET).
    
      If someone writes an application with libcurl and openssl who wants to
      enable the feature, one can do this in the SSL callback.

This was in 2009, so I'm wondering if anyone has any interest in enabling this
again now.

Arguably, from curl's POV, session tickets don't provide much benefit compared
to session ids (which curl already supports), but it seems that they are
generally preferred by servers and it might be worth adding support for them to
curl for server debugging purposes (it's also worth noting that pretty much all
browsers support them).

Cheers

[0] http://tools.ietf.org/html/rfc5077

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2015-02-16