From: Emeric Brun <ebrun@exceliance.fr>
Date: Tue, 2 Oct 2012 11:45:20 +0000 (+0200)
Subject: MINOR: ssl: add statement 'no-tls-tickets' on bind to disable stateless session resum... 
X-Git-Tag: v1.5-dev13~235
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d0c48268202690ee96bd6c6a91b5e353be13b14;p=thirdparty%2Fhaproxy.git

MINOR: ssl: add statement 'no-tls-tickets' on bind to disable stateless session resumption

Disables the stateless session resumption (RFC 5077 TLS Ticket extension)
and force to use stateful session resumption.
Stateless session resumption is more expensive in CPU usage.
---

diff --git a/include/types/listener.h b/include/types/listener.h
index b3d52a1862..601d6954c7 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -102,6 +102,7 @@ struct bind_conf {
 	char *ciphers;             /* cipher suite to use if non-null */
 	char *crlfile;             /* CRLfile to use on verify */
 	char *ecdhe;               /* named curve to use for ECDHE */
+	int no_tls_tickets;        /* disable session resumption tickets */
 	int nosslv3;               /* disable SSLv3 */
 	int notlsv10;              /* disable TLSv1.0 */
 	int notlsv11;              /* disable TLSv1.1 */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7baca58b08..07be3eaac8 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -447,6 +447,9 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu
 #ifndef SSL_OP_SINGLE_ECDH_USE                          /* needs OpenSSL >= 0.9.8 */
 #define SSL_OP_SINGLE_ECDH_USE 0
 #endif
+#ifndef SSL_OP_NO_TICKET                                /* needs OpenSSL >= 0.9.8 */
+#define SSL_OP_NO_TICKET 0
+#endif
 #ifndef SSL_OP_NO_COMPRESSION                           /* needs OpenSSL >= 0.9.9 */
 #define SSL_OP_NO_COMPRESSION 0
 #endif
@@ -488,6 +491,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 		ssloptions |= SSL_OP_NO_TLSv1_1;
 	if (bind_conf->notlsv12)
 		ssloptions |= SSL_OP_NO_TLSv1_2;
+	if (bind_conf->no_tls_tickets)
+		ssloptions |= SSL_OP_NO_TICKET;
 	if (bind_conf->prefer_server_ciphers)
 		ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 
@@ -1192,6 +1197,14 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
 	return 0;
 }
 
+/* parse the "no-tls-tickets" bind keyword */
+static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	conf->no_tls_tickets = 1;
+	return 0;
+}
+
+
 /* parse the "nosslv3" bind keyword */
 static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
@@ -1304,20 +1317,21 @@ static struct acl_kw_list acl_kws = {{ },{
  * not enabled.
  */
 static struct bind_kw_list bind_kws = { "SSL", { }, {
-	{ "cafile",                bind_parse_cafile,        1 }, /* set CAfile to process verify on client cert */
-	{ "ca-ignore-err",         bind_parse_ignore_err,    1 }, /* set error IDs to ignore on verify depth > 0 */
-	{ "ciphers",               bind_parse_ciphers,       1 }, /* set SSL cipher suite */
-	{ "crlfile",               bind_parse_crlfile,       1 }, /* set certificat revocation list file use on client cert verify */
-	{ "crt",                   bind_parse_crt,           1 }, /* load SSL certificates from this location */
-	{ "crt-ignore-err",        bind_parse_ignore_err,    1 }, /* set error IDs to ingore on verify depth == 0 */
-	{ "ecdhe",                 bind_parse_ecdhe,         1 }, /* defines named curve for elliptic curve Diffie-Hellman */
-	{ "nosslv3",               bind_parse_nosslv3,       0 }, /* disable SSLv3 */
-	{ "notlsv10",              bind_parse_notlsv10,      0 }, /* disable TLSv10 */
-	{ "notlsv11",              bind_parse_notlsv11,      0 }, /* disable TLSv11 */
-	{ "notlsv12",              bind_parse_notlsv12,      0 }, /* disable TLSv12 */
-	{ "prefer-server-ciphers", bind_parse_psc,           0 }, /* prefer server ciphers */
-	{ "ssl",                   bind_parse_ssl,           0 }, /* enable SSL processing */
-	{ "verify",                bind_parse_verify,        1 }, /* set SSL verify method */
+	{ "cafile",                bind_parse_cafile,         1 }, /* set CAfile to process verify on client cert */
+	{ "ca-ignore-err",         bind_parse_ignore_err,     1 }, /* set error IDs to ignore on verify depth > 0 */
+	{ "ciphers",               bind_parse_ciphers,        1 }, /* set SSL cipher suite */
+	{ "crlfile",               bind_parse_crlfile,        1 }, /* set certificat revocation list file use on client cert verify */
+	{ "crt",                   bind_parse_crt,            1 }, /* load SSL certificates from this location */
+	{ "crt-ignore-err",        bind_parse_ignore_err,     1 }, /* set error IDs to ingore on verify depth == 0 */
+	{ "ecdhe",                 bind_parse_ecdhe,          1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+	{ "no-tls-tickets",        bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
+	{ "nosslv3",               bind_parse_nosslv3,        0 }, /* disable SSLv3 */
+	{ "notlsv10",              bind_parse_notlsv10,       0 }, /* disable TLSv10 */
+	{ "notlsv11",              bind_parse_notlsv11,       0 }, /* disable TLSv11 */
+	{ "notlsv12",              bind_parse_notlsv12,       0 }, /* disable TLSv12 */
+	{ "prefer-server-ciphers", bind_parse_psc,            0 }, /* prefer server ciphers */
+	{ "ssl",                   bind_parse_ssl,            0 }, /* enable SSL processing */
+	{ "verify",                bind_parse_verify,         1 }, /* set SSL verify method */
 	{ NULL, NULL, 0 },
 }};