MINOR: ssl/server: add the "no-ssl-reuse" server option
This option disables SSL session reuse when SSL is used to communicate with the server. It will force the server to perform a full handshake for every new connection. It's probably only useful for benchmarking, troubleshooting, and for paranoid users.
This commit is contained in:
parent
64e3416662
commit
2a3fb1c8bb
|
@ -9349,6 +9349,14 @@ minconn <minconn>
|
|||
|
||||
Supported in default-server: Yes
|
||||
|
||||
no-ssl-reuse
|
||||
This option disables SSL session reuse when SSL is used to communicate with
|
||||
the server. It will force the server to perform a full handshake for every
|
||||
new connection. It's probably only useful for benchmarking, troubleshooting,
|
||||
and for paranoid users.
|
||||
|
||||
Supported in default-server: No
|
||||
|
||||
no-sslv3
|
||||
This option disables support for SSLv3 when SSL is used to communicate with
|
||||
the server. Note that SSLv2 is disabled in the code and cannot be enabled
|
||||
|
|
|
@ -122,6 +122,7 @@ enum srv_admin {
|
|||
#define SRV_SSL_O_USE_TLSV12 0x0080 /* force TLSv1.2 */
|
||||
/* 0x00F0 reserved for 'force' protocol version options */
|
||||
#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
|
||||
#define SRV_SSL_O_NO_REUSE 0x200 /* disable session reuse */
|
||||
#endif
|
||||
|
||||
struct pid_list {
|
||||
|
|
|
@ -2347,7 +2347,8 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
|
|||
if (objt_server(conn->target)->ssl_ctx.reused_sess)
|
||||
SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
|
||||
|
||||
objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
|
||||
if (!(objt_server(conn->target)->ssl_ctx.options & SRV_SSL_O_NO_REUSE))
|
||||
objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
|
||||
}
|
||||
else {
|
||||
update_freq_ctr(&global.ssl_fe_keys_per_sec, 1);
|
||||
|
@ -4366,6 +4367,13 @@ static int srv_parse_force_tlsv12(char **args, int *cur_arg, struct proxy *px, s
|
|||
#endif
|
||||
}
|
||||
|
||||
/* parse the "no-ssl-reuse" server keyword */
|
||||
static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
||||
{
|
||||
newsrv->ssl_ctx.options |= SRV_SSL_O_NO_REUSE;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* parse the "no-sslv3" server keyword */
|
||||
static int srv_parse_no_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
||||
{
|
||||
|
@ -4677,6 +4685,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
|
|||
{ "force-tlsv10", srv_parse_force_tlsv10, 0, 0 }, /* force TLSv10 */
|
||||
{ "force-tlsv11", srv_parse_force_tlsv11, 0, 0 }, /* force TLSv11 */
|
||||
{ "force-tlsv12", srv_parse_force_tlsv12, 0, 0 }, /* force TLSv12 */
|
||||
{ "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 0 }, /* disable session reuse */
|
||||
{ "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */
|
||||
{ "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */
|
||||
{ "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */
|
||||
|
|
Loading…
Reference in New Issue