From: Timo Sirainen <tss@iki.fi>
Date: Wed, 21 Oct 2015 10:32:58 +0000 (+0300)
Subject: ssl_options: Added support for no_ticket
X-Git-Tag: 2.2.20.rc1~126
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea6bcfde34e4cced9b42f1b4f5140a47752cb0ab;p=thirdparty%2Fdovecot%2Fcore.git

ssl_options: Added support for no_ticket
---

diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c
index 38a47a122a..e9a57da801 100644
--- a/src/lib-master/master-service-ssl-settings.c
+++ b/src/lib-master/master-service-ssl-settings.c
@@ -104,6 +104,7 @@ master_service_ssl_settings_check(void *_set, pool_t pool ATTR_UNUSED,
 	/* Now explode the ssl_options string into individual flags */
 	/* First set them all to defaults */
 	set->parsed_opts.compression = TRUE;
+	set->parsed_opts.tickets = TRUE;
 
 	/* Then modify anything specified in the string */
 	const char **opts = t_strsplit_spaces(set->ssl_options, ", ");
@@ -111,6 +112,8 @@ master_service_ssl_settings_check(void *_set, pool_t pool ATTR_UNUSED,
 	while ((opt = *opts++) != NULL) {
 		if (strcasecmp(opt, "no_compression") == 0) {
 			set->parsed_opts.compression = FALSE;
+		} else if (strcasecmp(opt, "no_ticket") == 0) {
+			set->parsed_opts.tickets = FALSE;
 		} else {
 			*error_r = t_strdup_printf("ssl_options: unknown flag: '%s'",
 						   opt);
diff --git a/src/lib-master/master-service-ssl-settings.h b/src/lib-master/master-service-ssl-settings.h
index fc37fbfe13..2dd03205dc 100644
--- a/src/lib-master/master-service-ssl-settings.h
+++ b/src/lib-master/master-service-ssl-settings.h
@@ -23,6 +23,7 @@ struct master_service_ssl_settings {
 	/* These are derived from ssl_options, not set directly */
 	struct {
 		bool compression;
+		bool tickets;
 	} parsed_opts;
 };
 
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 97b042dd94..134b7fbe57 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -509,6 +509,10 @@ ssl_iostream_context_init_common(struct ssl_iostream_context *ctx,
 #ifdef SSL_OP_NO_COMPRESSION
 	if (!set->compression)
 		ssl_ops |= SSL_OP_NO_COMPRESSION;
+#endif
+#ifdef SSL_OP_NO_TICKET
+	if (!set->tickets)
+		ssl_ops |= SSL_OP_NO_TICKET;
 #endif
 	SSL_CTX_set_options(ctx->ssl_ctx, ssl_ops);
 #ifdef SSL_MODE_RELEASE_BUFFERS
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 2ad941406c..3969f74df5 100644
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -19,6 +19,7 @@ struct ssl_iostream_settings {
 	bool require_valid_cert; /* stream-only */
 	bool prefer_server_ciphers;
 	bool compression;
+	bool tickets;
 };
 
 /* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index cf6a36a62c..cb69c08e7a 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -103,6 +103,7 @@ struct ssl_server_context {
 	bool verify_client_cert;
 	bool prefer_server_ciphers;
 	bool compression;
+	bool tickets;
 };
 
 static int extdata_index;
@@ -649,6 +650,7 @@ ssl_server_context_get(const struct login_settings *login_set,
 		login_set->auth_ssl_username_from_cert;
 	lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
 	lookup_ctx.compression = set->parsed_opts.compression;
+	lookup_ctx.tickets = set->parsed_opts.tickets;
 
 	ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
 	if (ctx == NULL)
@@ -1028,6 +1030,10 @@ ssl_proxy_ctx_init(SSL_CTX *ssl_ctx, const struct master_service_ssl_settings *s
 #ifdef SSL_OP_NO_COMPRESSION
 	if (!set->parsed_opts.compression)
 		ssl_ops |= SSL_OP_NO_COMPRESSION;
+#endif
+#ifdef SSL_OP_NO_TICKET
+	if (!set->parsed_opts.tickets)
+		ssl_ops |= SSL_OP_NO_TICKET;
 #endif
 	SSL_CTX_set_options(ssl_ctx, ssl_ops);
 
@@ -1301,6 +1307,7 @@ ssl_server_context_init(const struct login_settings *login_set,
 		login_set->auth_ssl_username_from_cert;
 	ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
 	ctx->compression = ssl_set->parsed_opts.compression;
+	ctx->tickets = ssl_set->parsed_opts.tickets;
 
 	ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 	if (ssl_ctx == NULL)