| Author |
|
shn124js
Joined: 27 May 2018
Posts: 8
Location: UAE
|
 Posted: Mon 28 May '18 8:27 Post subject: Disable TLS Session Resumption on Apache2.4.7 |
 |
|
Is there a way to disable Session Resumption completely?
I do not want to resume TLS Sessions using Session Tickets and/or IDs for a website.
I tried "On Apache you need insert the SSLOpenSSLConfCmd directive into the virtual host configuration in /etc/apache2/sites-enabled/domain.conf or /etc/httpd/sites-enabled/domain.conf", but it didn't pass the config test.
My web server is Apache 2.4.7 on Ubuntu 14.04.5 LTS. |
|
| Back to top |
|
shn124js
Joined: 27 May 2018
Posts: 8
Location: UAE
|
| Posted: Mon 04 Jun '18 12:45 Post subject: |
|
|
| Anybody ...? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
|
| Posted: Mon 04 Jun '18 16:44 Post subject: |
|
|
You may try
| Code: |
SSLSessionCache none
SSLSessionTickets off
|
I wonder why you want to disable it. |
|
| Back to top |
|
shn124js
Joined: 27 May 2018
Posts: 8
Location: UAE
|
| Posted: Tue 05 Jun '18 9:18 Post subject: |
|
|
Thanks James Blond. I will try that.
Reason why i am doing that is to isolate an issue with non-Microsoft browsers. I have horrible connection timeouts on all non-Microsoft browsers. My websites gets stuck at "Establishing Secure Connection" and gradually timeouts. Infact it doesn't work. I don't see this on Edge or IE 11 (not that i am a fan of MSFT browsers but it works and never timeouts). I did Wireshark and did a comparison and found that the only perceivable difference was "Session Resumption" done my non-MSFT browsers. That is why... Do you have any suggestions... |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
|
| Posted: Tue 05 Jun '18 16:08 Post subject: |
|
|
| Maybe you can post your SSL config and KeepAlive settings and maybe we can see an issue in that. |
|
| Back to top |
|
shn124js
Joined: 27 May 2018
Posts: 8
Location: UAE
|
| Posted: Tue 05 Jun '18 18:11 Post subject: |
|
|
Moved to pastbin by admin, see forum rules.
See https://apaste.info/ragK
Removed other post with content:
@James Blond Sorry I had to paste all the related configs.
This is actually a dummy website with no content, created to reproduce and further troubleshoot the non-MSFT browser issue that I mentioned earlier. And I was able to reproduce the issue, even on this dummy webpage. |
|
| Back to top |
|
shn124js
Joined: 27 May 2018
Posts: 8
Location: UAE
|
| Posted: Wed 06 Jun '18 9:58 Post subject: |
|
|
I tried :
SSLSessionCache none
SSLSessionTickets off
And i got syntax error :
....
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 46 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLSessionTickets', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
....
So i commented out that and just added "SSLSessionCache none" which was accepted. However, it still resumes Sessions.
I am wondering if there is really a way to disable it. |
|
| Back to top |
|
shn124js
Joined: 27 May 2018
Posts: 8
Location: UAE
|
| Posted: Sun 10 Jun '18 10:04 Post subject: |
|
|
| hi Anybody ? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
|
|
| Back to top |
|
shn124js
Joined: 27 May 2018
Posts: 8
Location: UAE
|
| Posted: Mon 11 Jun '18 11:34 Post subject: Openssl version is |
|
|
root@ubuntu:~# openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Wed Apr 18 18:30:39 UTC 2018
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl" |
|
| Back to top |
|
shn124js
Joined: 27 May 2018
Posts: 8
Location: UAE
|
| Posted: Mon 11 Jun '18 11:37 Post subject: What steps |
|
|
| Could you advise the procedure step by step for what you said could be the fix for this... I would greatly appreciate... |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
|
| Posted: Wed 13 Jun '18 11:37 Post subject: |
|
|
1) Your OpenSSL Version is too old, to add SSLOpenSSLConfCmd
2)You could patch your apache sources and compile it, but then you can't update it via apt-get
3) You can completly compile apache yourself, independent from the OS ( like I do)
4) upgrade your ubuntu to a newer version where you can set SSLOpenSSLConfCmd in your apache. |
|
| Back to top |
|
fred
Joined: 01 Sep 2018
Posts: 3
Location: Germany, Hamburg
|
| Posted: Sun 02 Sep '18 23:46 Post subject: |
|
|
| James Blond wrote: | | I wonder why you want to disable it. |
This is a good reason for disabling:
Tracking Users across the Web via TLS Session Resumption |
|
| Back to top |
|
