From: Nenad Merdanovic Date: Fri, 25 Mar 2016 21:16:57 +0000 (+0100) Subject: BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present X-Git-Tag: v1.7-dev3~91 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1789115a52e5c512746717aacd71346a1e328ad5;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present Olivier Doucet reported the issue on the ML and tested that when using more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher than expected. Lukas Tribus then provided a test case which showed that resumption doesn't work at all in that case. This fix needs to be backported to 1.6. Signed-off-by: Nenad Merdanovic --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 101738859a..994cdcc640 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -5406,8 +5406,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px fclose(f); /* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */ - i-=2; - keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i; + i -= 2; + keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i % TLS_TICKETS_NO; keys_ref->unique_id = -1; conf->keys_ref = keys_ref;