Hacker News new | ask | show | jobs
by xenophonf 3184 days ago
So if like me you want to know how to disable session tickets in Apache httpd, you need to be running at least httpd 2.4.8 with OpenSSL 1.0.2. Then you can set:

  SSLOpenSSLConfCmd Options -SessionTicket
Alternatively, if you're running at least httpd 2.4.11 with OpenSSL 0.9.8f, you can set this instead:

  SSLSessionTickets off
See also:

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslopenss...

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessio...
1 comments
xenophonf 3184 days ago
Also, if you're running RHEL/CentOS 7, you'll want to switch to the SCL version of Apache httpd (2.4.25) as the version in the base repositories (2.4.6) is too old to support either setting:

https://www.softwarecollections.org/en/scls/rhscl/httpd24/

link
smegel 3184 days ago
Well, technically RHEL7 runs httpd-2.4.6-67, which is RedHat's 67th patched version of 2.4.6.

They backport a lot of stuff from later versions, don't see why they could not have done this (they haven't, I checked).

link