Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / f9c5c4701c8d55ca7bdf856cc27c5f851e1220fd^! / .
commitf9c5c4701c8d55ca7bdf856cc27c5f851e1220fd[log] [tgz]
authorEmeric Brun <ebrun@exceliance.fr>Thu Oct 11 15:28:34 2012 +0200
committerWilly Tarreau <w@1wt.eu>Fri Oct 12 11:48:55 2012 +0200
treea70e20312685fb8d11c5ef2ff31d117cc4ee4479
parentecc91fea7bef53d265cb06693d07cdefb196a14c [diff]
MINOR: ssl: add statement 'no-tls-tickets' on server side.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b44cb5f..d9a756f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -7240,6 +7240,14 @@
 
   Supported in default-server: No
 
+no-tls-tickets
+  This setting is only available when support for OpenSSL was built in. It
+  disables the stateless session resumption (RFC 5077 TLS Ticket
+  extension) and force to use stateful session resumption. Stateless
+  session resumption is more expensive in CPU usage for servers.
+
+  Supported in default-server: No
+
 no-tlsv10
   This option disables support for TLSv1.0 when SSL is used to communicate with
   the server. Note that SSLv2 is disabled in the code and cannot be enabled

diff --git a/include/types/server.h b/include/types/server.h
index fd99b64..2d2bb87 100644
--- a/include/types/server.h
+++ b/include/types/server.h

@@ -94,6 +94,7 @@
 #define SRV_SSL_O_USE_TLSV11   0x0040 /* force TLSv1.1 */
 #define SRV_SSL_O_USE_TLSV12   0x0080 /* force TLSv1.2 */
 /* 0x00F0 reserved for 'force' protocol version options */
+#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
 #endif
 
 /* A tree occurrence is a descriptor of a place in a tree, with a pointer back

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d4024f2..fb59515 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -611,6 +611,8 @@
 		options |= SSL_OP_NO_TLSv1_1;
 	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
 		options |= SSL_OP_NO_TLSv1_2;
+	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
+		options |= SSL_OP_NO_TICKET;
 	if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
 	if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
@@ -1536,6 +1538,13 @@
 	return 0;
 }
 
+/* parse the "no-tls-tickets" server keyword */
+static int srv_parse_no_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLS_TICKETS;
+	return 0;
+}
+
 /* parse the "ssl" server keyword */
 static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -1624,6 +1633,7 @@
 	{ "no-tlsv10",             srv_parse_no_tlsv10,      0, 0 }, /* disable TLSv10 */
 	{ "no-tlsv11",             srv_parse_no_tlsv11,      0, 0 }, /* disable TLSv11 */
 	{ "no-tlsv12",             srv_parse_no_tlsv12,      0, 0 }, /* disable TLSv12 */
+	{ "no-tls-tickets",        srv_parse_no_tls_tickets, 0, 0 }, /* disable session resumption tickets */
 	{ "ssl",                   srv_parse_ssl,            0, 0 }, /* enable SSL processing */
 	{ NULL, NULL, 0, 0 },
 }};