MINOR: ssl: add statement 'no-tls-tickets' on server side.

2025-01-18 19:50:54 +00:00 · 2012-10-11 15:28:34 +02:00 · 2012-10-11 15:28:34 +02:00 · f9c5c4701c
commit f9c5c4701c
parent ecc91fea7b
3 changed files with 19 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -7240,6 +7240,14 @@ no-sslv3

  Supported in default-server: No

+no-tls-tickets
+  This setting is only available when support for OpenSSL was built in. It
+  disables the stateless session resumption (RFC 5077 TLS Ticket
+  extension) and force to use stateful session resumption. Stateless
+  session resumption is more expensive in CPU usage for servers.
+
+  Supported in default-server: No
+
 no-tlsv10
  This option disables support for TLSv1.0 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
--- a/include/types/server.h
+++ b/include/types/server.h
@ -94,6 +94,7 @@
 #define SRV_SSL_O_USE_TLSV11   0x0040 /* force TLSv1.1 */
 #define SRV_SSL_O_USE_TLSV12   0x0080 /* force TLSv1.2 */
 /* 0x00F0 reserved for 'force' protocol version options */
+#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
 #endif

 /* A tree occurrence is a descriptor of a place in a tree, with a pointer back
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -611,6 +611,8 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
 		options |= SSL_OP_NO_TLSv1_1;
 	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
 		options |= SSL_OP_NO_TLSv1_2;
+	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
+		options |= SSL_OP_NO_TICKET;
 	if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
 	if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
@ -1536,6 +1538,13 @@ static int srv_parse_no_tlsv12(char **args, int *cur_arg, struct proxy *px, stru
 	return 0;
 }

+/* parse the "no-tls-tickets" server keyword */
+static int srv_parse_no_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLS_TICKETS;
+	return 0;
+}
+
 /* parse the "ssl" server keyword */
 static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@ -1624,6 +1633,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "no-tlsv10",             srv_parse_no_tlsv10,      0, 0 }, /* disable TLSv10 */
 	{ "no-tlsv11",             srv_parse_no_tlsv11,      0, 0 }, /* disable TLSv11 */
 	{ "no-tlsv12",             srv_parse_no_tlsv12,      0, 0 }, /* disable TLSv12 */
+	{ "no-tls-tickets",        srv_parse_no_tls_tickets, 0, 0 }, /* disable session resumption tickets */
 	{ "ssl",                   srv_parse_ssl,            0, 0 }, /* enable SSL processing */
 	{ NULL, NULL, 0, 0 },
 }};