MINOR: ssl/server: add the "no-ssl-reuse" server option

This option disables SSL session reuse when SSL is used to communicate with
the server. It will force the server to perform a full handshake for every
new connection. It's probably only useful for benchmarking, troubleshooting,
and for paranoid users.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9a50ef41dd34c937189044f89e0c1ed37835f476..971c26e8ff6c58983e247ce80260e6efdd226c36 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -9349,6 +9349,14 @@ minconn <minconn>
 
   Supported in default-server: Yes
 
+no-ssl-reuse
+  This option disables SSL session reuse when SSL is used to communicate with
+  the server. It will force the server to perform a full handshake for every
+  new connection. It's probably only useful for benchmarking, troubleshooting,
+  and for paranoid users.
+
+  Supported in default-server: No
+
 no-sslv3
   This option disables support for SSLv3 when SSL is used to communicate with
   the server. Note that SSLv2 is disabled in the code and cannot be enabled

diff --git a/include/types/server.h b/include/types/server.h
index 4f97e17cb3f089510181f7019267d9740fb7e594..23bb2b7fcd3b597edd76f14aeb61db1bd3c969bf 100644 (file)
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -122,6 +122,7 @@ enum srv_admin {
 #define SRV_SSL_O_USE_TLSV12   0x0080 /* force TLSv1.2 */
 /* 0x00F0 reserved for 'force' protocol version options */
 #define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
+#define SRV_SSL_O_NO_REUSE     0x200  /* disable session reuse */
 #endif
 
 struct pid_list {

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5642ccea754fff32fcdbfe3da977bc04126da32..8739e8bac58a5aaeec7053ba760a1e5f2a9b9af5 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2347,7 +2347,8 @@ reneg_ok:
                        if (objt_server(conn->target)->ssl_ctx.reused_sess)
                                SSL_SESSION_free(objt_server(conn->target)->ssl_ctx.reused_sess);
 
-                       objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
+                       if (!(objt_server(conn->target)->ssl_ctx.options & SRV_SSL_O_NO_REUSE))
+                               objt_server(conn->target)->ssl_ctx.reused_sess = SSL_get1_session(conn->xprt_ctx);
                }
                else {
                        update_freq_ctr(&global.ssl_fe_keys_per_sec, 1);
@@ -4366,6 +4367,13 @@ static int srv_parse_force_tlsv12(char **args, int *cur_arg, struct proxy *px, s
 #endif
 }
 
+/* parse the "no-ssl-reuse" server keyword */
+static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+       newsrv->ssl_ctx.options |= SRV_SSL_O_NO_REUSE;
+       return 0;
+}
+
 /* parse the "no-sslv3" server keyword */
 static int srv_parse_no_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -4677,6 +4685,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
        { "force-tlsv10",          srv_parse_force_tlsv10,   0, 0 }, /* force TLSv10 */
        { "force-tlsv11",          srv_parse_force_tlsv11,   0, 0 }, /* force TLSv11 */
        { "force-tlsv12",          srv_parse_force_tlsv12,   0, 0 }, /* force TLSv12 */
+       { "no-ssl-reuse",          srv_parse_no_ssl_reuse,   0, 0 }, /* disable session reuse */
        { "no-sslv3",              srv_parse_no_sslv3,       0, 0 }, /* disable SSLv3 */
        { "no-tlsv10",             srv_parse_no_tlsv10,      0, 0 }, /* disable TLSv10 */
        { "no-tlsv11",             srv_parse_no_tlsv11,      0, 0 }, /* disable TLSv11 */