From f9c5c4701c8d55ca7bdf856cc27c5f851e1220fd Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Thu, 11 Oct 2012 15:28:34 +0200 Subject: [PATCH] MINOR: ssl: add statement 'no-tls-tickets' on server side. --- doc/configuration.txt | 8 ++++++++ include/types/server.h | 1 + src/ssl_sock.c | 10 ++++++++++ 3 files changed, 19 insertions(+) diff --git a/doc/configuration.txt b/doc/configuration.txt index b44cb5f87..d9a756fdb 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -7240,6 +7240,14 @@ no-sslv3 Supported in default-server: No +no-tls-tickets + This setting is only available when support for OpenSSL was built in. It + disables the stateless session resumption (RFC 5077 TLS Ticket + extension) and force to use stateful session resumption. Stateless + session resumption is more expensive in CPU usage for servers. + + Supported in default-server: No + no-tlsv10 This option disables support for TLSv1.0 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled diff --git a/include/types/server.h b/include/types/server.h index fd99b64ff..2d2bb87e0 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -94,6 +94,7 @@ #define SRV_SSL_O_USE_TLSV11 0x0040 /* force TLSv1.1 */ #define SRV_SSL_O_USE_TLSV12 0x0080 /* force TLSv1.2 */ /* 0x00F0 reserved for 'force' protocol version options */ +#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */ #endif /* A tree occurrence is a descriptor of a place in a tree, with a pointer back diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d4024f2bd..fb59515af 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -611,6 +611,8 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy) options |= SSL_OP_NO_TLSv1_1; if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12) options |= SSL_OP_NO_TLSv1_2; + if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS) + options |= SSL_OP_NO_TICKET; if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method()); if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10) @@ -1536,6 +1538,13 @@ static int srv_parse_no_tlsv12(char **args, int *cur_arg, struct proxy *px, stru return 0; } +/* parse the "no-tls-tickets" server keyword */ +static int srv_parse_no_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) +{ + newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLS_TICKETS; + return 0; +} + /* parse the "ssl" server keyword */ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { @@ -1624,6 +1633,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */ { "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */ { "no-tlsv12", srv_parse_no_tlsv12, 0, 0 }, /* disable TLSv12 */ + { "no-tls-tickets", srv_parse_no_tls_tickets, 0, 0 }, /* disable session resumption tickets */ { "ssl", srv_parse_ssl, 0, 0 }, /* enable SSL processing */ { NULL, NULL, 0, 0 }, }};