mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-12-08 03:01:14 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: add statement 'no-tls-tickets' on bind to disable stateless session resumption

Browse Source 
Disables the stateless session resumption (RFC 5077 TLS Ticket extension)
and force to use stateful session resumption.
Stateless session resumption is more expensive in CPU usage.
This commit is contained in:
Emeric Brun 2012-10-02 13:45:20 +02:00 committed by Willy Tarreau
parent c6678e21bb
commit 2d0c482682
2 changed files with 29 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/types/listener.h
View File

@ -102,6 +102,7 @@ struct bind_conf {
char *ciphers; /* cipher suite to use if non-null */ char *ciphers; /* cipher suite to use if non-null */
char *crlfile; /* CRLfile to use on verify */ char *crlfile; /* CRLfile to use on verify */
char *ecdhe; /* named curve to use for ECDHE */ char *ecdhe; /* named curve to use for ECDHE */
int no_tls_tickets; /* disable session resumption tickets */
int nosslv3; /* disable SSLv3 */ int nosslv3; /* disable SSLv3 */
int notlsv10; /* disable TLSv1.0 */ int notlsv10; /* disable TLSv1.0 */
int notlsv11; /* disable TLSv1.1 */ int notlsv11; /* disable TLSv1.1 */

42
src/ssl_sock.c
View File

@ -447,6 +447,9 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu
#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 0.9.8 */ #ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 0.9.8 */
#define SSL_OP_SINGLE_ECDH_USE 0 #define SSL_OP_SINGLE_ECDH_USE 0
#endif #endif
#ifndef SSL_OP_NO_TICKET /* needs OpenSSL >= 0.9.8 */
#define SSL_OP_NO_TICKET 0
#endif
#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */ #ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
#define SSL_OP_NO_COMPRESSION 0 #define SSL_OP_NO_COMPRESSION 0
#endif #endif
@ -488,6 +491,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
ssloptions |= SSL_OP_NO_TLSv1_1; ssloptions |= SSL_OP_NO_TLSv1_1;
if (bind_conf->notlsv12) if (bind_conf->notlsv12)
ssloptions |= SSL_OP_NO_TLSv1_2; ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->no_tls_tickets)
ssloptions |= SSL_OP_NO_TICKET;
if (bind_conf->prefer_server_ciphers) if (bind_conf->prefer_server_ciphers)
ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE; ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
@ -1192,6 +1197,14 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
return 0; return 0;
} }
/* parse the "no-tls-tickets" bind keyword */
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
conf->no_tls_tickets = 1;
return 0;
}
/* parse the "nosslv3" bind keyword */ /* parse the "nosslv3" bind keyword */
static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{ {
@ -1304,20 +1317,21 @@ static struct acl_kw_list acl_kws = {{ },{
* not enabled. * not enabled.
*/ */
static struct bind_kw_list bind_kws = { "SSL", { }, { static struct bind_kw_list bind_kws = { "SSL", { }, {
{ "cafile", bind_parse_cafile, 1 }, /* set CAfile to process verify on client cert */ { "cafile", bind_parse_cafile, 1 }, /* set CAfile to process verify on client cert */
{ "ca-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ignore on verify depth > 0 */ { "ca-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ignore on verify depth > 0 */
{ "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */ { "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
{ "crlfile", bind_parse_crlfile, 1 }, /* set certificat revocation list file use on client cert verify */ { "crlfile", bind_parse_crlfile, 1 }, /* set certificat revocation list file use on client cert verify */
{ "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */ { "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */ { "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */ { "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
{ "nosslv3", bind_parse_nosslv3, 0 }, /* disable SSLv3 */ { "no-tls-tickets", bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
{ "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */ { "nosslv3", bind_parse_nosslv3, 0 }, /* disable SSLv3 */
{ "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */ { "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */
{ "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */ { "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */
{ "prefer-server-ciphers", bind_parse_psc, 0 }, /* prefer server ciphers */ { "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */ { "prefer-server-ciphers", bind_parse_psc, 0 }, /* prefer server ciphers */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */ { "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */
{ NULL, NULL, 0 }, { NULL, NULL, 0 },
}}; }};