MINOR: ssl/server: add the "no-ssl-reuse" server option

This option disables SSL session reuse when SSL is used to communicate with
the server. It will force the server to perform a full handshake for every
new connection. It's probably only useful for benchmarking, troubleshooting,
and for paranoid users.
This commit is contained in:
Willy Tarreau 2015-02-05 16:47:07 +01:00
parent 64e3416662
commit 2a3fb1c8bb
3 changed files with 19 additions and 1 deletions

View File

@ -9349,6 +9349,14 @@ minconn <minconn>
Supported in default-server: Yes
no-ssl-reuse
This option disables SSL session reuse when SSL is used to communicate with
the server. It will force the server to perform a full handshake for every
new connection. It's probably only useful for benchmarking, troubleshooting,
and for paranoid users.
Supported in default-server: No
no-sslv3
This option disables support for SSLv3 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled

View File

@ -122,6 +122,7 @@ enum srv_admin {
#define SRV_SSL_O_USE_TLSV12 0x0080 /* force TLSv1.2 */
/* 0x00F0 reserved for 'force' protocol version options */
#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
#define SRV_SSL_O_NO_REUSE 0x200 /* disable session reuse */
#endif
struct pid_list {

View File

@ -2347,7 +2347,8 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
if (objt_server(conn->target)->ssl_ctx.reused_sess)
SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
if (!(objt_server(conn->target)->ssl_ctx.options & SRV_SSL_O_NO_REUSE))
objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
}
else {
update_freq_ctr(&global.ssl_fe_keys_per_sec, 1);
@ -4366,6 +4367,13 @@ static int srv_parse_force_tlsv12(char **args, int *cur_arg, struct proxy *px, s
#endif
}
/* parse the "no-ssl-reuse" server keyword */
static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->ssl_ctx.options |= SRV_SSL_O_NO_REUSE;
return 0;
}
/* parse the "no-sslv3" server keyword */
static int srv_parse_no_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
@ -4677,6 +4685,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
{ "force-tlsv10", srv_parse_force_tlsv10, 0, 0 }, /* force TLSv10 */
{ "force-tlsv11", srv_parse_force_tlsv11, 0, 0 }, /* force TLSv11 */
{ "force-tlsv12", srv_parse_force_tlsv12, 0, 0 }, /* force TLSv12 */
{ "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 0 }, /* disable session reuse */
{ "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */
{ "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */
{ "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */