From 2d0c48268202690ee96bd6c6a91b5e353be13b14 Mon Sep 17 00:00:00 2001
From: Emeric Brun <ebrun@exceliance.fr>
Date: Tue, 2 Oct 2012 13:45:20 +0200
Subject: [PATCH] MINOR: ssl: add statement 'no-tls-tickets' on bind to disable
 stateless session resumption

Disables the stateless session resumption (RFC 5077 TLS Ticket extension)
and force to use stateful session resumption.
Stateless session resumption is more expensive in CPU usage.
---
 include/types/listener.h |  1 +
 src/ssl_sock.c           | 42 ++++++++++++++++++++++++++--------------
 2 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/include/types/listener.h b/include/types/listener.h
index b3d52a186..601d6954c 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -102,6 +102,7 @@ struct bind_conf {
 	char *ciphers;             /* cipher suite to use if non-null */
 	char *crlfile;             /* CRLfile to use on verify */
 	char *ecdhe;               /* named curve to use for ECDHE */
+	int no_tls_tickets;        /* disable session resumption tickets */
 	int nosslv3;               /* disable SSLv3 */
 	int notlsv10;              /* disable TLSv1.0 */
 	int notlsv11;              /* disable TLSv1.1 */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7baca58b0..07be3eaac 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -447,6 +447,9 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu
 #ifndef SSL_OP_SINGLE_ECDH_USE                          /* needs OpenSSL >= 0.9.8 */
 #define SSL_OP_SINGLE_ECDH_USE 0
 #endif
+#ifndef SSL_OP_NO_TICKET                                /* needs OpenSSL >= 0.9.8 */
+#define SSL_OP_NO_TICKET 0
+#endif
 #ifndef SSL_OP_NO_COMPRESSION                           /* needs OpenSSL >= 0.9.9 */
 #define SSL_OP_NO_COMPRESSION 0
 #endif
@@ -488,6 +491,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 		ssloptions |= SSL_OP_NO_TLSv1_1;
 	if (bind_conf->notlsv12)
 		ssloptions |= SSL_OP_NO_TLSv1_2;
+	if (bind_conf->no_tls_tickets)
+		ssloptions |= SSL_OP_NO_TICKET;
 	if (bind_conf->prefer_server_ciphers)
 		ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 
@@ -1192,6 +1197,14 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
 	return 0;
 }
 
+/* parse the "no-tls-tickets" bind keyword */
+static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	conf->no_tls_tickets = 1;
+	return 0;
+}
+
+
 /* parse the "nosslv3" bind keyword */
 static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
@@ -1304,20 +1317,21 @@ static struct acl_kw_list acl_kws = {{ },{
  * not enabled.
  */
 static struct bind_kw_list bind_kws = { "SSL", { }, {
-	{ "cafile",                bind_parse_cafile,        1 }, /* set CAfile to process verify on client cert */
-	{ "ca-ignore-err",         bind_parse_ignore_err,    1 }, /* set error IDs to ignore on verify depth > 0 */
-	{ "ciphers",               bind_parse_ciphers,       1 }, /* set SSL cipher suite */
-	{ "crlfile",               bind_parse_crlfile,       1 }, /* set certificat revocation list file use on client cert verify */
-	{ "crt",                   bind_parse_crt,           1 }, /* load SSL certificates from this location */
-	{ "crt-ignore-err",        bind_parse_ignore_err,    1 }, /* set error IDs to ingore on verify depth == 0 */
-	{ "ecdhe",                 bind_parse_ecdhe,         1 }, /* defines named curve for elliptic curve Diffie-Hellman */
-	{ "nosslv3",               bind_parse_nosslv3,       0 }, /* disable SSLv3 */
-	{ "notlsv10",              bind_parse_notlsv10,      0 }, /* disable TLSv10 */
-	{ "notlsv11",              bind_parse_notlsv11,      0 }, /* disable TLSv11 */
-	{ "notlsv12",              bind_parse_notlsv12,      0 }, /* disable TLSv12 */
-	{ "prefer-server-ciphers", bind_parse_psc,           0 }, /* prefer server ciphers */
-	{ "ssl",                   bind_parse_ssl,           0 }, /* enable SSL processing */
-	{ "verify",                bind_parse_verify,        1 }, /* set SSL verify method */
+	{ "cafile",                bind_parse_cafile,         1 }, /* set CAfile to process verify on client cert */
+	{ "ca-ignore-err",         bind_parse_ignore_err,     1 }, /* set error IDs to ignore on verify depth > 0 */
+	{ "ciphers",               bind_parse_ciphers,        1 }, /* set SSL cipher suite */
+	{ "crlfile",               bind_parse_crlfile,        1 }, /* set certificat revocation list file use on client cert verify */
+	{ "crt",                   bind_parse_crt,            1 }, /* load SSL certificates from this location */
+	{ "crt-ignore-err",        bind_parse_ignore_err,     1 }, /* set error IDs to ingore on verify depth == 0 */
+	{ "ecdhe",                 bind_parse_ecdhe,          1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+	{ "no-tls-tickets",        bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
+	{ "nosslv3",               bind_parse_nosslv3,        0 }, /* disable SSLv3 */
+	{ "notlsv10",              bind_parse_notlsv10,       0 }, /* disable TLSv10 */
+	{ "notlsv11",              bind_parse_notlsv11,       0 }, /* disable TLSv11 */
+	{ "notlsv12",              bind_parse_notlsv12,       0 }, /* disable TLSv12 */
+	{ "prefer-server-ciphers", bind_parse_psc,            0 }, /* prefer server ciphers */
+	{ "ssl",                   bind_parse_ssl,            0 }, /* enable SSL processing */
+	{ "verify",                bind_parse_verify,         1 }, /* set SSL verify method */
 	{ NULL, NULL, 0 },
 }};