From: Emeric Brun <ebrun@exceliance.fr>
Date: Thu, 11 Oct 2012 13:28:34 +0000 (+0200)
Subject: MINOR: ssl: add statement 'no-tls-tickets' on server side.
X-Git-Tag: v1.5-dev13~163
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9c5c4701c8d55ca7bdf856cc27c5f851e1220fd;p=thirdparty%2Fhaproxy.git

MINOR: ssl: add statement 'no-tls-tickets' on server side.
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index b44cb5f878..d9a756fdbe 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7240,6 +7240,14 @@ no-sslv3
 
   Supported in default-server: No
 
+no-tls-tickets
+  This setting is only available when support for OpenSSL was built in. It
+  disables the stateless session resumption (RFC 5077 TLS Ticket
+  extension) and force to use stateful session resumption. Stateless
+  session resumption is more expensive in CPU usage for servers.
+
+  Supported in default-server: No
+
 no-tlsv10
   This option disables support for TLSv1.0 when SSL is used to communicate with
   the server. Note that SSLv2 is disabled in the code and cannot be enabled
diff --git a/include/types/server.h b/include/types/server.h
index fd99b64ff5..2d2bb87e06 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -94,6 +94,7 @@
 #define SRV_SSL_O_USE_TLSV11   0x0040 /* force TLSv1.1 */
 #define SRV_SSL_O_USE_TLSV12   0x0080 /* force TLSv1.2 */
 /* 0x00F0 reserved for 'force' protocol version options */
+#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
 #endif
 
 /* A tree occurrence is a descriptor of a place in a tree, with a pointer back
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d4024f2bdf..fb59515af6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -611,6 +611,8 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
 		options |= SSL_OP_NO_TLSv1_1;
 	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
 		options |= SSL_OP_NO_TLSv1_2;
+	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
+		options |= SSL_OP_NO_TICKET;
 	if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
 		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
 	if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
@@ -1536,6 +1538,13 @@ static int srv_parse_no_tlsv12(char **args, int *cur_arg, struct proxy *px, stru
 	return 0;
 }
 
+/* parse the "no-tls-tickets" server keyword */
+static int srv_parse_no_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLS_TICKETS;
+	return 0;
+}
+
 /* parse the "ssl" server keyword */
 static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -1624,6 +1633,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "no-tlsv10",             srv_parse_no_tlsv10,      0, 0 }, /* disable TLSv10 */
 	{ "no-tlsv11",             srv_parse_no_tlsv11,      0, 0 }, /* disable TLSv11 */
 	{ "no-tlsv12",             srv_parse_no_tlsv12,      0, 0 }, /* disable TLSv12 */
+	{ "no-tls-tickets",        srv_parse_no_tls_tickets, 0, 0 }, /* disable session resumption tickets */
 	{ "ssl",                   srv_parse_ssl,            0, 0 }, /* enable SSL processing */
 	{ NULL, NULL, 0, 0 },
 }};