AnsweredAssumed Answered

Apache Invalid command SSLSessionTickets

Question asked by Steve Andrews on Apr 22, 2015
Latest reply on Apr 23, 2015 by Steve Andrews

Hi, I'm a sophomore at Oklahoma State University and I'm taking some online courses for a Computer Science degree.  I was given a project to set up a secure web server.  After doing some research I decided to go with a LAMP server. Over the last 2 weeks I've got it up and running with one exception which no one I've talked to has been able to help me with.  I'm trying to set "SSLSessionTickets Off".  As far as everything I've read if your not restarting your server frequently it should be "off" which for some reason Apache dev's have set the default to "on" which compromises perfect forward secrecy. (See here).

 

With SSLSessionTickets commented out Apache starts with just a few warnings having to do with my self signed cert. With SSLSessionTickets uncommented Apache has a fit and tells me:

 

* Restarting web server apache2                                         [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 89 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'SSLSessionTickets', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.

 

There's no info in the error.log since Apache fails to start and I can't find any info online.

 

My Setup:

Ubuntu Server 14.04.2

Apache 2.4.7

OpenSSL 1.0.1f

 

My ssl.conf file with all the comments removed:

 

<IfModule mod_ssl.c

 

        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512

 

        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl .crl

 

        SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase

 

        SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
        SSLSessionCacheTimeout  300

 

        SSLCipherSuite AES128+EECDH:AES128+EDH
        SSLHonorCipherOrder on

 

        SSLProtocol all -SSLv2 -SSLv3

 

        SSLSessionTickets off

 

        SSLCompression off
        SSLUseStapling on
        SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
        Header always set Strict-Transport-Security "max-age=63072000; incl$
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

 

</IfModule>

 

I'm pulling an A with this set up from the SSL Labs Server Test if I ignore the T for having a self signed cert. The Invalid command 'SSLSessionTickets' error is ruining my sense of accomplishment. Please take pity on a beginner and point me in the right direction.

 

Thank you,

Steve Andrews

Outcomes