MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>

commit: 05552d4b98127bd52d3e0008a6c62bde46be5c35 [log] [tgz]
author: Nenad Merdanovic <nmerdan@anine.io> Fri Feb 27 19:56:49 2015 +0100
committer: Willy Tarreau <w@1wt.eu> Sat Feb 28 23:10:22 2015 +0100
tree: 50cdfb00a344f0549e43ddcb053ee853d5551a76
parent: eaabd52e29a29187f9829fe727028a6ca530cbf9 [diff] [blame]
diff --git a/include/common/defaults.h b/include/common/defaults.h
index 0e37dac..3b31849 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h

@@ -290,4 +290,9 @@
 #ifndef OCSP_MAX_RESPONSE_TIME_SKEW
 #define OCSP_MAX_RESPONSE_TIME_SKEW 300
 #endif
+
+/* Number of TLS tickets to check, used for rotation */
+#ifndef TLS_TICKETS_NO
+#define TLS_TICKETS_NO 3
+#endif
 #endif /* _COMMON_DEFAULTS_H */
commit	05552d4b98127bd52d3e0008a6c62bde46be5c35	[log] [tgz]
author	Nenad Merdanovic <nmerdan@anine.io>	Fri Feb 27 19:56:49 2015 +0100
committer	Willy Tarreau <w@1wt.eu>	Sat Feb 28 23:10:22 2015 +0100
tree	50cdfb00a344f0549e43ddcb053ee853d5551a76
parent	eaabd52e29a29187f9829fe727028a6ca530cbf9 [diff] [blame]