add flag to send early session tickets

mainly for TTLS and PEAP

diff --git a/src/include/tls-h b/src/include/tls-h
index f994f58d5a4c56232db07579247e9b15ae6e413f..5945d8b7f8c7307e8e793eaa809aaefd7abfc735 100644 (file)
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -368,6 +368,7 @@ struct fr_tls_server_conf_t {
 #ifdef TLS1_3_VERSION
        bool            tls13_enable_magic;
        bool            tls13_send_zero;
+       bool            tls13_early_session_tickets;
 #endif
 
        char const      *tls_min_version;

diff --git a/src/main/tls.c b/src/main/tls.c
index aa2aeb98596c7e250b6bea0efd6720eedb3022f1..8b6b128dba27c811421a0aa482cc16c423c418ae 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -831,6 +831,15 @@ int tls_handshake_recv(REQUEST *request, tls_session_t *ssn)
 #ifdef TLS1_3_VERSION
                case TLS1_3_VERSION:
                        str_version = "TLS 1.3";
+
+                       {
+                               fr_tls_server_conf_t    *conf;
+                               conf = (fr_tls_server_conf_t *)SSL_CTX_get_app_data(ssn->ctx);
+
+                               if (conf->tls13_early_session_tickets && conf->session_cache_enable) {
+                                       SSL_set_num_tickets(ssn->ssl, 1);
+                               }
+                       }
                        break;
 #endif
                default:
@@ -1373,6 +1382,7 @@ static CONF_PARSER tls_server_config[] = {
 #ifdef TLS1_3_VERSION
        { "tls13_enable", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, tls13_enable_magic), NULL },
        { "tls13_send_zero", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, tls13_send_zero), NULL },
+       { "tls13_early_session_tickets", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, tls13_early_session_tickets), NULL },
 #endif
 
        { "cache", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) cache_config },