ssl_options: Added support for no_ticket

author Timo Sirainen <tss@iki.fi>

Wed, 21 Oct 2015 10:32:58 +0000 (13:32 +0300)

committer Timo Sirainen <tss@iki.fi>

Wed, 21 Oct 2015 10:32:58 +0000 (13:32 +0300)
author Timo Sirainen <tss@iki.fi>
Wed, 21 Oct 2015 10:32:58 +0000 (13:32 +0300)
committer Timo Sirainen <tss@iki.fi>
Wed, 21 Oct 2015 10:32:58 +0000 (13:32 +0300)
diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c

index 38a47a122a0fa93294c4f7fc0534328ff5360efd..e9a57da801d47d7094ddda785cb8c8fdbd498a5a 100644 (file)
--- a/src/lib-master/master-service-ssl-settings.c
+++ b/src/lib-master/master-service-ssl-settings.c
@@ -104,6 +104,7 @@ master_service_ssl_settings_check(void *_set, pool_t pool ATTR_UNUSED,
         /* Now explode the ssl_options string into individual flags */
         /* First set them all to defaults */
         set->parsed_opts.compression = TRUE;
+       set->parsed_opts.tickets = TRUE;
  
         /* Then modify anything specified in the string */
         const char **opts = t_strsplit_spaces(set->ssl_options, ", ");
@@ -111,6 +112,8 @@ master_service_ssl_settings_check(void *_set, pool_t pool ATTR_UNUSED,
         while ((opt = *opts++) != NULL) {
                 if (strcasecmp(opt, "no_compression") == 0) {
                         set->parsed_opts.compression = FALSE;
+               } else if (strcasecmp(opt, "no_ticket") == 0) {
+                       set->parsed_opts.tickets = FALSE;
                 } else {
                         *error_r = t_strdup_printf("ssl_options: unknown flag: '%s'",
                                                    opt);
diff --git a/src/lib-master/master-service-ssl-settings.h b/src/lib-master/master-service-ssl-settings.h

index fc37fbfe13a12947686bedae83e7a92d72e18bf0..2dd03205dc77e2ccb4051ac06207067a982f0bf3 100644 (file)
--- a/src/lib-master/master-service-ssl-settings.h
+++ b/src/lib-master/master-service-ssl-settings.h
@@ -23,6 +23,7 @@ struct master_service_ssl_settings {
         /* These are derived from ssl_options, not set directly */
         struct {
                 bool compression;
+               bool tickets;
         } parsed_opts;
  };
  
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c

index 97b042dd9467955647113b706829ed224cb2459d..134b7fbe57ccfb90d413e6477f260471c94ee2ec 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -509,6 +509,10 @@ ssl_iostream_context_init_common(struct ssl_iostream_context *ctx,
  #ifdef SSL_OP_NO_COMPRESSION
         if (!set->compression)
                 ssl_ops |= SSL_OP_NO_COMPRESSION;
+#endif
+#ifdef SSL_OP_NO_TICKET
+       if (!set->tickets)
+               ssl_ops |= SSL_OP_NO_TICKET;
  #endif
         SSL_CTX_set_options(ctx->ssl_ctx, ssl_ops);
  #ifdef SSL_MODE_RELEASE_BUFFERS
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h

index 2ad941406cbccb8db6c1206e143359443e937ea6..3969f74df5dae8e2043ab9d69e683f93bd79b57d 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -19,6 +19,7 @@ struct ssl_iostream_settings {
         bool require_valid_cert; /* stream-only */
         bool prefer_server_ciphers;
         bool compression;
+       bool tickets;
  };
  
  /* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c

index cf6a36a62c116fccfd6414b7de059ddbb7928727..cb69c08e7adae9062067680699dba57c746e795b 100644 (file)
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -103,6 +103,7 @@ struct ssl_server_context {
         bool verify_client_cert;
         bool prefer_server_ciphers;
         bool compression;
+       bool tickets;
  };
  
  static int extdata_index;
@@ -649,6 +650,7 @@ ssl_server_context_get(const struct login_settings *login_set,
                 login_set->auth_ssl_username_from_cert;
         lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
         lookup_ctx.compression = set->parsed_opts.compression;
+       lookup_ctx.tickets = set->parsed_opts.tickets;
  
         ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
         if (ctx == NULL)
@@ -1028,6 +1030,10 @@ ssl_proxy_ctx_init(SSL_CTX *ssl_ctx, const struct master_service_ssl_settings *s
  #ifdef SSL_OP_NO_COMPRESSION
         if (!set->parsed_opts.compression)
                 ssl_ops |= SSL_OP_NO_COMPRESSION;
+#endif
+#ifdef SSL_OP_NO_TICKET
+       if (!set->parsed_opts.tickets)
+               ssl_ops |= SSL_OP_NO_TICKET;
  #endif
         SSL_CTX_set_options(ssl_ctx, ssl_ops);
  
@@ -1301,6 +1307,7 @@ ssl_server_context_init(const struct login_settings *login_set,
                 login_set->auth_ssl_username_from_cert;
         ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
         ctx->compression = ssl_set->parsed_opts.compression;
+       ctx->tickets = ssl_set->parsed_opts.tickets;
  
         ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
         if (ssl_ctx == NULL)
author	Timo Sirainen <tss@iki.fi>
	Wed, 21 Oct 2015 10:32:58 +0000 (13:32 +0300)
committer	Timo Sirainen <tss@iki.fi>
	Wed, 21 Oct 2015 10:32:58 +0000 (13:32 +0300)
src/lib-master/master-service-ssl-settings.c		patch \| blob \| blame \| history
src/lib-master/master-service-ssl-settings.h		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-openssl-context.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-ssl.h		patch \| blob \| blame \| history
src/login-common/ssl-proxy-openssl.c		patch \| blob \| blame \| history