diff options
| author | Eric Wong <e@80x24.org> | 2016-03-01 01:38:05 +0000 |
|---|---|---|
| committer | Eric Wong <e@80x24.org> | 2016-03-01 01:55:10 +0000 |
| commit | 21f2bb507bd34d263059595802f773481af5416e (patch) | |
| tree | 448e888dcfaccef0025e5de84cadef9304bc627d /Documentation | |
| parent | 7ee064f52ee740eeafa49089911f6eca18c67e38 (diff) | |
| download | yahns-21f2bb507bd34d263059595802f773481af5416e.tar.gz | |
This release ensures OpenSSL::SSL::SSLContext#session_id_context
is always set for OpenSSL users. It won't overwrite existing
settings, but setting it to a random value is necessary to
ensure clients do not get aborted connections when attempting to
use a session cache.
No need to actually upgrade if you're on 1.12.1, you may add the
following to your yahns_config(5) file where
OpenSSL::SSL::SSLContext is configured:
# recommended, not required. This sets safer defaults
# provided by Ruby on top of what OpenSSL gives:
ssl_ctx.set_params
# required, and done by default in v1.12.2:
ssl_ctx.session_id_context ||= OpenSSL::Random.random_bytes(32)
yahns gives you full control of of how OpenSSL::SSL::SSLContext is
configured. To avoid bugs, yahns only ensures
OpenSSL::SSL::SSLContext#session_id_context is set (if not previously
set by the user) and calls OpenSSL::SSL::SSLContext#setup before
spawning threads to avoid race conditions. yahns itself does not and
will not enforce any opinion on the compatibility/performance/security
trade-offs regarding TLS configuration.
Note: keep in mind using an SSL session cache may be less useful
with yahns because HTTP/1.1 persistent connections may live
forever :)
3 bug/doc fixes on top of v1.12.1:
document OpenSSL::SSL::SSLContext#set_params use
ssl: ensure is session_id_context is always set
test/*: fix mktmpdir usage for 1.9.3
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/yahns_config.pod | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/Documentation/yahns_config.pod b/Documentation/yahns_config.pod index aadd691..1b2595b 100644 --- a/Documentation/yahns_config.pod +++ b/Documentation/yahns_config.pod @@ -452,6 +452,14 @@ An example which seems to work is: listen 443, ssl_ctx: ssl_ctx end +yahns gives you full control of of how OpenSSL::SSL::SSLContext is +configured. To avoid bugs, yahns only ensures +OpenSSL::SSL::SSLContext#session_id_context is set (if not previously +set by the user) and calls OpenSSL::SSL::SSLContext#setup before +spawning threads to avoid race conditions. yahns itself does not and +will not enforce any opinion on the compatibility/performance/security +trade-offs regarding TLS configuration. + =item umask: MODE Sets the file mode creation mask for UNIX sockets. If specified, |