[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [mosquitto-dev] Mosquitto and TLS Session Resumption / session ticket lifetime ?
|
Hi Martin,
This is a case of just using the defaults as provided by openssl, the
300 seconds value comes from there.
> How can I increase session ticket lifetime in the mosquitto broker ?
In src/net.c _mosquitto_tls_server_ctx() at some point after the
listener->ssl_ctx is created, use
SSL_CTX_set_timeout(listener->ssl_ctx, timeout_in_seconds);
> How can I use Mosquitto / OpenSSL C API to leverage session tickets in an
> MQTT C client ?
Not at the moment, this needs code changes that are a bit more
involved - it looks like we need to use SSL_set_session() to apply a
saved session to your client and SSL_CTX_sess_set_new_cb() to save the
session out.
> Is there any way I could persist session tickets on the clients, so they
> would remain valid across reboot ?
With the above changes, yes.
> What is the lifetime of the Session Ticket Master Secret on the Broker, and
> how could I change that lifetime?
>
> Is there any way I could rotate the Session Ticket Master Secret on the
> Broker ? Ideally, I'd like to re-create session tickets every 12 hours and
> send the new tickets to all clients through the existing MQTT sessions.
Unless openssl is rotating it (highly unlikely) then it will remain
until restart.
To change the lifetime it looks like generating new keys and applying
them with SSL_CTX_set_tlsext_ticket_keys() is the way to go, but more
than that I can't say right now.
Adding an option to change the server timeout seems straightforward.
Adding the ability to save/restore sessions on the clients seems a bit
more involved but with minimal worry.
Changing the lifetime and rotating the master secret has a lot more
unknowns at the moment.
Cheers,
Roger
