SSL_OP_SINGLE_ECDH_USE;
if (!df.d_enableTickets || df.d_numberOfTicketsKeys == 0) {
+ /* for TLS 1.3 this means no stateless tickets, but stateful tickets might still be issued,
+ which is something we don't want. */
sslOptions |= SSL_OP_NO_TICKET;
+ /* really disable all tickets */
+#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
+ SSL_CTX_set_num_tickets(ctx.get(), 0);
+#endif /* HAVE_SSL_CTX_SET_NUM_TICKETS */
}
else {
df.d_ticketKeys = std::unique_ptr<OpenSSLTLSTicketKeysRing>(new OpenSSLTLSTicketKeysRing(df.d_numberOfTicketsKeys));
save_LIBS=$LIBS
CFLAGS="$LIBSSL_CFLAGS $CFLAGS"
LIBS="$LIBSSL_LIBS -lcrypto $LIBS"
- AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites OCSP_basic_sign])
+ AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites OCSP_basic_sign SSL_CTX_set_num_tickets])
CFLAGS=$save_CFLAGS
LIBS=$save_LIBS
}
if (!fe.d_enableTickets || fe.d_numberOfTicketsKeys == 0) {
+ /* for TLS 1.3 this means no stateless tickets, but stateful tickets might still be issued,
+ which is something we don't want. */
sslOptions |= SSL_OP_NO_TICKET;
+ /* really disable all tickets */
+#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS
+ SSL_CTX_set_num_tickets(d_tlsCtx.get(), 0);
+#endif /* HAVE_SSL_CTX_SET_NUM_TICKETS */
}
else {
/* use our own ticket keys handler so we can rotate them */
projects / thirdparty / pdns.git / commitdiff
