MINOR: ssl: add statement 'no-tls-tickets' on server side.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b44cb5f878435b84f9cf4ddd833d0288d3be9208..d9a756fdbe877bd80a63f62242360232afd81f25 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7240,6 +7240,14 @@ no-sslv3
 
   Supported in default-server: No
 
+no-tls-tickets
+  This setting is only available when support for OpenSSL was built in. It
+  disables the stateless session resumption (RFC 5077 TLS Ticket
+  extension) and force to use stateful session resumption. Stateless
+  session resumption is more expensive in CPU usage for servers.
+
+  Supported in default-server: No
+
 no-tlsv10
   This option disables support for TLSv1.0 when SSL is used to communicate with
   the server. Note that SSLv2 is disabled in the code and cannot be enabled

diff --git a/include/types/server.h b/include/types/server.h
index fd99b64ff55f8a19067081146c789e6f637daaf8..2d2bb87e0636b826b96d4ce0af7e34b10180037b 100644 (file)
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -94,6 +94,7 @@
 #define SRV_SSL_O_USE_TLSV11   0x0040 /* force TLSv1.1 */
 #define SRV_SSL_O_USE_TLSV12   0x0080 /* force TLSv1.2 */
 /* 0x00F0 reserved for 'force' protocol version options */
+#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
 #endif
 
 /* A tree occurrence is a descriptor of a place in a tree, with a pointer back

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d4024f2bdf0f814a633acac795641326590662f1..fb59515af6a87dba643aac5bbc660d98d9571355 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -611,6 +611,8 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
                options |= SSL_OP_NO_TLSv1_1;
        if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
                options |= SSL_OP_NO_TLSv1_2;
+       if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
+               options |= SSL_OP_NO_TICKET;
        if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
                SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
        if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
@@ -1536,6 +1538,13 @@ static int srv_parse_no_tlsv12(char **args, int *cur_arg, struct proxy *px, stru
        return 0;
 }
 
+/* parse the "no-tls-tickets" server keyword */
+static int srv_parse_no_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+       newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLS_TICKETS;
+       return 0;
+}
+
 /* parse the "ssl" server keyword */
 static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -1624,6 +1633,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
        { "no-tlsv10",             srv_parse_no_tlsv10,      0, 0 }, /* disable TLSv10 */
        { "no-tlsv11",             srv_parse_no_tlsv11,      0, 0 }, /* disable TLSv11 */
        { "no-tlsv12",             srv_parse_no_tlsv12,      0, 0 }, /* disable TLSv12 */
+       { "no-tls-tickets",        srv_parse_no_tls_tickets, 0, 0 }, /* disable session resumption tickets */
        { "ssl",                   srv_parse_ssl,            0, 0 }, /* enable SSL processing */
        { NULL, NULL, 0, 0 },
 }};