Topic: Disable TLS Session Resumption on Apache2.4.7

[shn124js]

Is there a way to disable Session Resumption completely?
I do not want to resume TLS Sessions using Session Tickets and/or IDs for a website.
I tried "On Apache you need insert the SSLOpenSSLConfCmd directive into the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf", but it didn't pass the config test.

My web server is Apache 2.4.7 on Ubuntu 14.04.5 LTS.

[shn124js]

Anybody ...?

[James Blond]

You may try

[shn124js]

Thanks James Blond. I will try that.
Reason why i am doing that is to isolate an issue with non-Microsoft browsers. I have horrible connection timeouts on all non-Microsoft browsers. My websites gets stuck at "Establishing Secure Connection" and gradually timeouts. Infact it doesn't work. I don't see this on Edge or IE 11 (not that i am a fan of MSFT browsers but it works and never timeouts). I did Wireshark and did a comparison and found that the only perceivable difference was "Session Resumption" done my non-MSFT browsers. That is why... Do you have any suggestions...

[James Blond]

Maybe you can post your SSL config and KeepAlive settings and maybe we can see an issue in that.

[shn124js]

Moved to pastbin by admin, see forum rules.

See https://apaste.info/ragK

Removed other post with content:

@James Blond Sorry I had to paste all the related configs.
This is actually a dummy website with no content, created to reproduce and further troubleshoot the non-MSFT browser issue that I mentioned earlier. And I was able to reproduce the issue, even on this dummy webpage.

[shn124js]

I tried :
SSLSessionCache none
SSLSessionTickets off

And i got syntax error :
....
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 46 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLSessionTickets', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
....

So i commented out that and just added "SSLSessionCache none" which was accepted. However, it still resumes Sessions.

I am wondering if there is really a way to disable it.

[shn124js]

hi Anybody ?

[James Blond]

From OpenSSL 1.0.2 on you can use

[shn124js]

root@ubuntu:~# openssl version -a

OpenSSL 1.0.1f 6 Jan 2014
built on: Wed Apr 18 18:30:39 UTC 2018
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

[shn124js]

Could you advise the procedure step by step for what you said could be the fix for this... I would greatly appreciate...

[James Blond]

1) Your OpenSSL Version is too old, to add SSLOpenSSLConfCmd

2)You could patch your apache sources and compile it, but then you can't update it via apt-get

3) You can completly compile apache yourself, independent from the OS ( like I do)

4) upgrade your ubuntu to a newer version where you can set SSLOpenSSLConfCmd in your apache.

[fred]