BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present

Olivier Doucet reported the issue on the ML and tested that when using
more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher
than expected.

Lukas Tribus then provided a test case which showed that resumption doesn't
work at all in that case.

This fix needs to be backported to 1.6.

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 101738859abc3b4f74f2b11c9d4f157edec774a3..994cdcc640b608c1f2d7595c952bc753b00962b0 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5406,8 +5406,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
        fclose(f);
 
        /* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
-       i-=2;
-       keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
+       i -= 2;
+       keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i % TLS_TICKETS_NO;
        keys_ref->unique_id = -1;
        conf->keys_ref = keys_ref;