1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MINOR: ssl: also provide the "tls-tickets" bind option

Browse Source 
Currently there is "no-tls-tickets" that is also supported in the
ssl-default-bind-options directive, but there's no way to re-enable
them on a specific "bind" line. This patch simply provides the option
to re-enable them. Note that the flag is inverted because tickets are
enabled by default and the no-tls-ticket option sets the flag to
disable them.
This commit is contained in:
Willy Tarreau 2025-05-22 15:28:37 +02:00
parent 3494775a1f
commit 1c0f2e62ad
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/configuration.txt
View File

@ -17106,6 +17106,13 @@ thread [<thread-group>/]<thread-set>[,...]
to specify a thread set which spans across several thread groups for such a to specify a thread set which spans across several thread groups for such a
listener as this may caused "nbconn" to not work as intended. listener as this may caused "nbconn" to not work as intended.
tls-tickets
This setting is only available when support for OpenSSL was built in. It
enables the stateless session resumption (RFC 5077 TLS Ticket extension). It
is the default, but it may be needed to selectively re-enable the feature on
a "bind" line if it had been globaly disabled via "no-tls-tickets" mentioned
in "ssl-default-bind-options". See also the "no-tls-tickets" bind keyword.
tls-ticket-keys <keyfile> tls-ticket-keys <keyfile>
Sets the TLS ticket keys file to load the keys from. The keys need to be 48 Sets the TLS ticket keys file to load the keys from. The keys need to be 48
or 80 bytes long, depending if aes128 or aes256 is used, encoded with base64 or 80 bytes long, depending if aes128 or aes256 is used, encoded with base64

8
src/cfgparse-ssl.c
View File

@ -1094,10 +1094,13 @@ static int srv_parse_tls_method_minmax(char **args, int *cur_arg, struct proxy *
return parse_tls_method_minmax(args, *cur_arg, &newsrv->ssl_ctx.methods, err); return parse_tls_method_minmax(args, *cur_arg, &newsrv->ssl_ctx.methods, err);
} }
/* parse the "no-tls-tickets" bind keyword */ /* parse the "no-tls-tickets" and "tls-tickets" bind keywords */
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{ {
if (strncmp(args[cur_arg], "no-", 3) == 0)
conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS; conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
else
conf->ssl_options &= ~BC_SSL_O_NO_TLS_TICKETS;
return 0; return 0;
} }
@ -2030,6 +2033,8 @@ static int ssl_parse_default_bind_options(char **args, int section_type, struct
while (*(args[i])) { while (*(args[i])) {
if (strcmp(args[i], "no-tls-tickets") == 0) if (strcmp(args[i], "no-tls-tickets") == 0)
global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS; global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS;
else if (strcmp(args[i], "tls-tickets") == 0)
global_ssl.listen_default_ssloptions &= ~BC_SSL_O_NO_TLS_TICKETS;
else if (strcmp(args[i], "prefer-client-ciphers") == 0) else if (strcmp(args[i], "prefer-client-ciphers") == 0)
global_ssl.listen_default_ssloptions |= BC_SSL_O_PREF_CLIE_CIPH; global_ssl.listen_default_ssloptions |= BC_SSL_O_PREF_CLIE_CIPH;
else if (strcmp(args[i], "strict-sni") == 0) else if (strcmp(args[i], "strict-sni") == 0)
@ -2464,6 +2469,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
{ "ssl-min-ver", bind_parse_tls_method_minmax, 1 }, /* minimum version */ { "ssl-min-ver", bind_parse_tls_method_minmax, 1 }, /* minimum version */
{ "ssl-max-ver", bind_parse_tls_method_minmax, 1 }, /* maximum version */ { "ssl-max-ver", bind_parse_tls_method_minmax, 1 }, /* maximum version */
{ "strict-sni", bind_parse_strict_sni, 0 }, /* refuse negotiation if sni doesn't match a certificate */ { "strict-sni", bind_parse_strict_sni, 0 }, /* refuse negotiation if sni doesn't match a certificate */
{ "tls-tickets", bind_parse_no_tls_tickets, 0 }, /* enable session resumption tickets */
{ "tls-ticket-keys", bind_parse_tls_ticket_keys, 1 }, /* set file to load TLS ticket keys from */ { "tls-ticket-keys", bind_parse_tls_ticket_keys, 1 }, /* set file to load TLS ticket keys from */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */ { "verify", bind_parse_verify, 1 }, /* set SSL verify method */
{ "npn", bind_parse_npn, 1 }, /* set NPN supported protocols */ { "npn", bind_parse_npn, 1 }, /* set NPN supported protocols */