key-file quoted_string;
prefer-server-ciphers boolean;
protocols { string; ... };
+ session-tickets boolean;
};
TRUST-ANCHORS
*ciphers = NULL;
bool tls_prefer_server_ciphers = false,
tls_prefer_server_ciphers_set = false;
+ bool tls_session_tickets = false, tls_session_tickets_set = false;
bool do_tls = false, no_tls = false, http = false;
ns_listenelt_t *delt = NULL;
uint32_t tls_protos = 0;
const cfg_obj_t *tls_proto_list = NULL;
const cfg_obj_t *ciphers_obj = NULL;
const cfg_obj_t *prefer_server_ciphers_obj = NULL;
+ const cfg_obj_t *session_tickets_obj = NULL;
do_tls = true;
prefer_server_ciphers_obj);
tls_prefer_server_ciphers_set = true;
}
+
+ if (cfg_map_get(tlsmap, "session-tickets",
+ &session_tickets_obj) == ISC_R_SUCCESS)
+ {
+ tls_session_tickets =
+ cfg_obj_asboolean(session_tickets_obj);
+ tls_session_tickets_set = true;
+ }
}
}
.ciphers = ciphers,
.prefer_server_ciphers = tls_prefer_server_ciphers,
.prefer_server_ciphers_set = tls_prefer_server_ciphers_set,
+ .session_tickets = tls_session_tickets,
+ .session_tickets_set = tls_session_tickets_set
};
httpobj = cfg_tuple_get(ltup, "http");
dhparam-file "dhparam.pem";
ciphers "HIGH:!aNULL:!MD5:!RC4";
prefer-server-ciphers yes;
+ session-tickets no;
};
http local-http-server {
dhparam-file "dhparam.pem";
ciphers "HIGH:!aNULL:!MD5:!RC4";
prefer-server-ciphers yes;
+ session-tickets no;
};
options {
Declares communication channels to get access to ``named`` statistics.
``tls``
- Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, and ``prefer-server-ciphers``.
+ Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
``http``
Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
``prefer-server-ciphers``
Specifies that server ciphers should be preferred over client ones.
+ ``session-tickets``
+ Enables or disables session resumption through TLS session tickets,
+ as defined in RFC5077. Disabling the stateless session tickets
+ might be required in the cases when forward secrecy is needed,
+ or the TLS certificate and key pair is planned to be used across
+ multiple BIND instances.
+
There are two built-in TLS connection configurations: ``ephemeral``,
uses a temporary key and certificate created for the current ``named``
session only, and ``none``, which can be used when setting up an HTTP
key\-file quoted_string;
prefer\-server\-ciphers boolean;
protocols { string; ... };
+ session\-tickets boolean;
};
.ft P
.fi
key-file <quoted_string>;
prefer-server-ciphers <boolean>;
protocols { <string>; ... };
+ session-tickets <boolean>;
}; // may occur multiple times
trust-anchors { <string> ( static-key |
key-file <quoted_string>;
prefer-server-ciphers <boolean>;
protocols { <string>; ... };
+ session-tickets <boolean>;
}; // may occur multiple times
trust-anchors { <string> ( static-key |
key-file <quoted_string>;
prefer-server-ciphers <boolean>;
protocols { <string>; ... };
+ session-tickets <boolean>;
};
* \li 'ctx' != NULL.
*/
+void
+isc_tlsctx_session_tickets(isc_tlsctx_t *ctx, const bool use);
+/*%<
+ * Enable/Disable stateless session resumptions tickets on the given
+ * TLS context 'ctx' (see RFC5077).
+ *
+ * Requires:
+ * \li 'ctx' != NULL.
+ */
+
isc_tls_t *
isc_tls_create(isc_tlsctx_t *ctx);
/*%<
}
}
+void
+isc_tlsctx_session_tickets(isc_tlsctx_t *ctx, const bool use) {
+ REQUIRE(ctx != NULL);
+
+ if (!use) {
+ (void)SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+ } else {
+ (void)SSL_CTX_clear_options(ctx, SSL_OP_NO_TICKET);
+ }
+}
+
isc_tls_t *
isc_tls_create(isc_tlsctx_t *ctx) {
isc_tls_t *newctx = NULL;
{ "protocols", &cfg_type_tlsprotos, 0 },
{ "ciphers", &cfg_type_astring, 0 },
{ "prefer-server-ciphers", &cfg_type_boolean, 0 },
+ { "session-tickets", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
const char *ciphers;
bool prefer_server_ciphers;
bool prefer_server_ciphers_set;
+ bool session_tickets;
+ bool session_tickets_set;
} ns_listen_tls_params_t;
/***
isc_tlsctx_prefer_server_ciphers(
sslctx, tls_params->prefer_server_ciphers);
}
+
+ if (tls_params->session_tickets_set) {
+ isc_tlsctx_session_tickets(sslctx,
+ tls_params->session_tickets);
+ }
}
elt = isc_mem_get(mctx, sizeof(*elt));