logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Disable TLS Session Resumption on Apache2.4.7

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
shn124js



Joined: 27 May 2018
Posts: 8
Location: UAE

PostPosted: Mon 28 May '18 8:27    Post subject: Disable TLS Session Resumption on Apache2.4.7 Reply with quote

Is there a way to disable Session Resumption completely?
I do not want to resume TLS Sessions using Session Tickets and/or IDs for a website.
I tried "On Apache you need insert the SSLOpenSSLConfCmd directive into the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf", but it didn't pass the config test.

My web server is Apache 2.4.7 on Ubuntu 14.04.5 LTS.
Back to top
shn124js



Joined: 27 May 2018
Posts: 8
Location: UAE

PostPosted: Mon 04 Jun '18 12:45    Post subject: Reply with quote

Anybody ...?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6521
Location: Germany, Next to Hamburg

PostPosted: Mon 04 Jun '18 16:44    Post subject: Reply with quote

You may try
Code:

SSLSessionCache none
SSLSessionTickets off



I wonder why you want to disable it.
Back to top
shn124js



Joined: 27 May 2018
Posts: 8
Location: UAE

PostPosted: Tue 05 Jun '18 9:18    Post subject: Reply with quote

Thanks James Blond. I will try that.
Reason why i am doing that is to isolate an issue with non-Microsoft browsers. I have horrible connection timeouts on all non-Microsoft browsers. My websites gets stuck at "Establishing Secure Connection" and gradually timeouts. Infact it doesn't work. I don't see this on Edge or IE 11 (not that i am a fan of MSFT browsers but it works and never timeouts). I did Wireshark and did a comparison and found that the only perceivable difference was "Session Resumption" done my non-MSFT browsers. That is why... Do you have any suggestions...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6521
Location: Germany, Next to Hamburg

PostPosted: Tue 05 Jun '18 16:08    Post subject: Reply with quote

Maybe you can post your SSL config and KeepAlive settings and maybe we can see an issue in that.
Back to top
shn124js



Joined: 27 May 2018
Posts: 8
Location: UAE

PostPosted: Tue 05 Jun '18 18:11    Post subject: Reply with quote

Moved to pastbin by admin, see forum rules.

See https://apaste.info/ragK

Removed other post with content:

@James Blond Sorry I had to paste all the related configs.
This is actually a dummy website with no content, created to reproduce and further troubleshoot the non-MSFT browser issue that I mentioned earlier. And I was able to reproduce the issue, even on this dummy webpage.
Back to top
shn124js



Joined: 27 May 2018
Posts: 8
Location: UAE

PostPosted: Wed 06 Jun '18 9:58    Post subject: Reply with quote

I tried :
SSLSessionCache none
SSLSessionTickets off

And i got syntax error :
....
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 46 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLSessionTickets', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
....

So i commented out that and just added "SSLSessionCache none" which was accepted. However, it still resumes Sessions.

I am wondering if there is really a way to disable it.
Back to top
shn124js



Joined: 27 May 2018
Posts: 8
Location: UAE

PostPosted: Sun 10 Jun '18 10:04    Post subject: Reply with quote

hi Anybody ?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6521
Location: Germany, Next to Hamburg

PostPosted: Mon 11 Jun '18 9:23    Post subject: Reply with quote

From OpenSSL 1.0.2 on you can use

Code:
SSLOpenSSLConfCmd Options -SessionTicket


I wonder how old your OpenSSL version must be.

there is no other chance to disable that.
You can use some patches[1] and compile apache your self. That is the reason why I compile apache myself with the last versions of OpenSLL and last version of apache source code[2]



[1] https://github.com/ivanr/bulletproof-tls/tree/master/apache
[2] https://github.com/JBlond/debian_build_apache24/
Back to top
shn124js



Joined: 27 May 2018
Posts: 8
Location: UAE

PostPosted: Mon 11 Jun '18 11:34    Post subject: Openssl version is Reply with quote

root@ubuntu:~# openssl version -a

OpenSSL 1.0.1f 6 Jan 2014
built on: Wed Apr 18 18:30:39 UTC 2018
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
Back to top
shn124js



Joined: 27 May 2018
Posts: 8
Location: UAE

PostPosted: Mon 11 Jun '18 11:37    Post subject: What steps Reply with quote

Could you advise the procedure step by step for what you said could be the fix for this... I would greatly appreciate...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6521
Location: Germany, Next to Hamburg

PostPosted: Wed 13 Jun '18 11:37    Post subject: Reply with quote

1) Your OpenSSL Version is too old, to add SSLOpenSSLConfCmd

2)You could patch your apache sources and compile it, but then you can't update it via apt-get

3) You can completly compile apache yourself, independent from the OS ( like I do)

4) upgrade your ubuntu to a newer version where you can set SSLOpenSSLConfCmd in your apache.
Back to top
fred



Joined: 01 Sep 2018
Posts: 3
Location: Germany, Hamburg

PostPosted: Sun 02 Sep '18 23:46    Post subject: Reply with quote

James Blond wrote:
I wonder why you want to disable it.


This is a good reason for disabling:
Tracking Users across the Web via TLS Session Resumption
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1