From 2a3fb1c8bb7062fcfaf4c695f456ee457c4e65b1 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 5 Feb 2015 16:47:07 +0100 Subject: [PATCH] MINOR: ssl/server: add the "no-ssl-reuse" server option This option disables SSL session reuse when SSL is used to communicate with the server. It will force the server to perform a full handshake for every new connection. It's probably only useful for benchmarking, troubleshooting, and for paranoid users. --- doc/configuration.txt | 8 ++++++++ include/types/server.h | 1 + src/ssl_sock.c | 11 ++++++++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 9a50ef41dd..971c26e8ff 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -9349,6 +9349,14 @@ minconn Supported in default-server: Yes +no-ssl-reuse + This option disables SSL session reuse when SSL is used to communicate with + the server. It will force the server to perform a full handshake for every + new connection. It's probably only useful for benchmarking, troubleshooting, + and for paranoid users. + + Supported in default-server: No + no-sslv3 This option disables support for SSLv3 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled diff --git a/include/types/server.h b/include/types/server.h index 4f97e17cb3..23bb2b7fcd 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -122,6 +122,7 @@ enum srv_admin { #define SRV_SSL_O_USE_TLSV12 0x0080 /* force TLSv1.2 */ /* 0x00F0 reserved for 'force' protocol version options */ #define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */ +#define SRV_SSL_O_NO_REUSE 0x200 /* disable session reuse */ #endif struct pid_list { diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f5642ccea7..8739e8bac5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2347,7 +2347,8 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) if (objt_server(conn->target)->ssl_ctx.reused_sess) SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess); - objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx); + if (!(objt_server(conn->target)->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) + objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx); } else { update_freq_ctr(&global.ssl_fe_keys_per_sec, 1); @@ -4366,6 +4367,13 @@ static int srv_parse_force_tlsv12(char **args, int *cur_arg, struct proxy *px, s #endif } +/* parse the "no-ssl-reuse" server keyword */ +static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) +{ + newsrv->ssl_ctx.options |= SRV_SSL_O_NO_REUSE; + return 0; +} + /* parse the "no-sslv3" server keyword */ static int srv_parse_no_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { @@ -4677,6 +4685,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "force-tlsv10", srv_parse_force_tlsv10, 0, 0 }, /* force TLSv10 */ { "force-tlsv11", srv_parse_force_tlsv11, 0, 0 }, /* force TLSv11 */ { "force-tlsv12", srv_parse_force_tlsv12, 0, 0 }, /* force TLSv12 */ + { "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 0 }, /* disable session reuse */ { "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */ { "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */ { "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */