Bug 1190509

Summary: Backport SSLSessionCacheTimeout for RFC 5077 session tickets
Product: Red Hat Enterprise Linux 6 Reporter: Davis Mosenkovs <davis>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Petr Šplíchal <psplicha>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: davis, dkutalek, jkaluza, jorton, mfrodl, ohudlick, psplicha
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.2.15-48.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 21:36:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch for CentOS 6.6 source RPM none

Description Davis Mosenkovs 2015-02-08 20:37:16 UTC 
Created attachment 989478 [details]
Patch for CentOS 6.6 source RPM

Description of problem:
Setting SSLSessionCacheTimeout has no effect on lifetime of RFC 5077 TLS session tickets.

Version-Release number of selected component (if applicable):
mod_ssl.x86_64 1:2.2.15-39.el6.centos

How reproducible:
Always reproducible

Steps to Reproduce:
1. In /etc/httpd/conf.d/ssl.conf adjust "SSLSessionCacheTimeout 7200"
2. service httpd restart
3. openssl s_client -connect 127.0.0.1:443 | grep "TLS session ticket lifetime"

Actual results:
TLS session ticket lifetime hint: 300 (seconds)

Expected results:
TLS session ticket lifetime hint: 7200 (seconds)

Additional info:
Issue is discussed here: http://www.gossamer-threads.com/lists/apache/dev/438166

This has been fixed in httpd with this commit: http://svn.apache.org/r1610311
and backported to 2.2.28: http://svn.apache.org/r1610888

Patch for CentOS 6.6 HTTPD/mod_ssl version is attached.
Comment 2 Joe Orton 2015-02-16 10:34:08 UTC 
If this issue is critical or in any way time sensitive, please raise a ticket
through your regular Red Hat support channels to make certain it receives the
proper attention and prioritization to assure a timely resolution.
Comment 11 errata-xmlrpc 2016-05-10 21:36:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0841.html