MINOR: ssl: also provide the "tls-tickets" bind option

Currently there is "no-tls-tickets" that is also supported in the
ssl-default-bind-options directive, but there's no way to re-enable
them on a specific "bind" line. This patch simply provides the option
to re-enable them. Note that the flag is inverted because tickets are
enabled by default and the no-tls-ticket option sets the flag to
disable them.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7fcbd266d6067353407f4a430eba6b633f65f710..596d6ab11ceffb1f97d94b910fa0abe65d0bde6d 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -17106,6 +17106,13 @@ thread [<thread-group>/]<thread-set>[,...]
   to specify a thread set which spans across several thread groups for such a
   listener as this may caused "nbconn" to not work as intended.
 
+tls-tickets
+  This setting is only available when support for OpenSSL was built in. It
+  enables the stateless session resumption (RFC 5077 TLS Ticket extension). It
+  is the default, but it may be needed to selectively re-enable the feature on
+  a "bind" line if it had been globaly disabled via "no-tls-tickets" mentioned
+  in "ssl-default-bind-options". See also the "no-tls-tickets" bind keyword.
+
 tls-ticket-keys <keyfile>
   Sets the TLS ticket keys file to load the keys from. The keys need to be 48
   or 80 bytes long, depending if aes128 or aes256 is used, encoded with base64

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index d100262f58e6f62d7c63260b3c6a13a476fa917a..44171b67d20a92538a4ed317da3f6a623cec6f44 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1094,10 +1094,13 @@ static int srv_parse_tls_method_minmax(char **args, int *cur_arg, struct proxy *
        return parse_tls_method_minmax(args, *cur_arg, &newsrv->ssl_ctx.methods, err);
 }
 
-/* parse the "no-tls-tickets" bind keyword */
+/* parse the "no-tls-tickets" and "tls-tickets" bind keywords */
 static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
-       conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
+       if (strncmp(args[cur_arg], "no-", 3) == 0)
+               conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
+       else
+               conf->ssl_options &= ~BC_SSL_O_NO_TLS_TICKETS;
        return 0;
 }
 
@@ -2030,6 +2033,8 @@ static int ssl_parse_default_bind_options(char **args, int section_type, struct
        while (*(args[i])) {
                if (strcmp(args[i], "no-tls-tickets") == 0)
                        global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS;
+               else if (strcmp(args[i], "tls-tickets") == 0)
+                       global_ssl.listen_default_ssloptions &= ~BC_SSL_O_NO_TLS_TICKETS;
                else if (strcmp(args[i], "prefer-client-ciphers") == 0)
                        global_ssl.listen_default_ssloptions |= BC_SSL_O_PREF_CLIE_CIPH;
                else if (strcmp(args[i], "strict-sni") == 0)
@@ -2464,6 +2469,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
        { "ssl-min-ver",           bind_parse_tls_method_minmax,  1 }, /* minimum version */
        { "ssl-max-ver",           bind_parse_tls_method_minmax,  1 }, /* maximum version */
        { "strict-sni",            bind_parse_strict_sni,         0 }, /* refuse negotiation if sni doesn't match a certificate */
+       { "tls-tickets",           bind_parse_no_tls_tickets,     0 }, /* enable session resumption tickets */
        { "tls-ticket-keys",       bind_parse_tls_ticket_keys,    1 }, /* set file to load TLS ticket keys from */
        { "verify",                bind_parse_verify,             1 }, /* set SSL verify method */
        { "npn",                   bind_parse_npn,                1 }, /* set NPN supported protocols */