From: Willy Tarreau Date: Thu, 22 May 2025 13:28:37 +0000 (+0200) Subject: MINOR: ssl: also provide the "tls-tickets" bind option X-Git-Tag: v3.2.0~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c0f2e62ad784e09f3c878ab3584f77e0f297760;p=thirdparty%2Fhaproxy.git MINOR: ssl: also provide the "tls-tickets" bind option Currently there is "no-tls-tickets" that is also supported in the ssl-default-bind-options directive, but there's no way to re-enable them on a specific "bind" line. This patch simply provides the option to re-enable them. Note that the flag is inverted because tickets are enabled by default and the no-tls-ticket option sets the flag to disable them. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 7fcbd266d..596d6ab11 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -17106,6 +17106,13 @@ thread [/][,...] to specify a thread set which spans across several thread groups for such a listener as this may caused "nbconn" to not work as intended. +tls-tickets + This setting is only available when support for OpenSSL was built in. It + enables the stateless session resumption (RFC 5077 TLS Ticket extension). It + is the default, but it may be needed to selectively re-enable the feature on + a "bind" line if it had been globaly disabled via "no-tls-tickets" mentioned + in "ssl-default-bind-options". See also the "no-tls-tickets" bind keyword. + tls-ticket-keys Sets the TLS ticket keys file to load the keys from. The keys need to be 48 or 80 bytes long, depending if aes128 or aes256 is used, encoded with base64 diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index d100262f5..44171b67d 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -1094,10 +1094,13 @@ static int srv_parse_tls_method_minmax(char **args, int *cur_arg, struct proxy * return parse_tls_method_minmax(args, *cur_arg, &newsrv->ssl_ctx.methods, err); } -/* parse the "no-tls-tickets" bind keyword */ +/* parse the "no-tls-tickets" and "tls-tickets" bind keywords */ static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS; + if (strncmp(args[cur_arg], "no-", 3) == 0) + conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS; + else + conf->ssl_options &= ~BC_SSL_O_NO_TLS_TICKETS; return 0; } @@ -2030,6 +2033,8 @@ static int ssl_parse_default_bind_options(char **args, int section_type, struct while (*(args[i])) { if (strcmp(args[i], "no-tls-tickets") == 0) global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS; + else if (strcmp(args[i], "tls-tickets") == 0) + global_ssl.listen_default_ssloptions &= ~BC_SSL_O_NO_TLS_TICKETS; else if (strcmp(args[i], "prefer-client-ciphers") == 0) global_ssl.listen_default_ssloptions |= BC_SSL_O_PREF_CLIE_CIPH; else if (strcmp(args[i], "strict-sni") == 0) @@ -2464,6 +2469,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "ssl-min-ver", bind_parse_tls_method_minmax, 1 }, /* minimum version */ { "ssl-max-ver", bind_parse_tls_method_minmax, 1 }, /* maximum version */ { "strict-sni", bind_parse_strict_sni, 0 }, /* refuse negotiation if sni doesn't match a certificate */ + { "tls-tickets", bind_parse_no_tls_tickets, 0 }, /* enable session resumption tickets */ { "tls-ticket-keys", bind_parse_tls_ticket_keys, 1 }, /* set file to load TLS ticket keys from */ { "verify", bind_parse_verify, 1 }, /* set SSL verify method */ { "npn", bind_parse_npn, 1 }, /* set NPN supported protocols */