mirror of https://github.com/openssl/openssl
Allow configuation of the number of TLSv1.3 session tickets via SSL_CONF
Also allows the apps to set it. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5227)
This commit is contained in:
parent
9d0a8bb71e
commit
394159da60
|
@ -281,8 +281,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
|||
"Block size to pad TLS 1.3 records to."}, \
|
||||
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
|
||||
"Perform all sorts of protocol violations for testing purposes"}, \
|
||||
{"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', "Disable TLSv1.3 middlebox compat mode" }
|
||||
|
||||
{"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
|
||||
"Disable TLSv1.3 middlebox compat mode" }
|
||||
|
||||
# define OPT_S_CASES \
|
||||
OPT_S__FIRST: case OPT_S__LAST: break; \
|
||||
|
|
|
@ -747,7 +747,7 @@ typedef enum OPTION_choice {
|
|||
OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
|
||||
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
|
||||
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
|
||||
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_EARLY_DATA,
|
||||
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_EARLY_DATA, OPT_S_NUM_TICKETS,
|
||||
OPT_R_ENUM,
|
||||
OPT_S_ENUM,
|
||||
OPT_V_ENUM,
|
||||
|
@ -955,6 +955,8 @@ const OPTIONS s_server_options[] = {
|
|||
{"max_early_data", OPT_MAX_EARLY, 'n',
|
||||
"The maximum number of bytes of early data"},
|
||||
{"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
|
||||
{"num_tickets", OPT_S_NUM_TICKETS, 'n',
|
||||
"The number of TLSv1.3 session tickets that a server will automatically issue" },
|
||||
{NULL, OPT_EOF, 0, NULL}
|
||||
};
|
||||
|
||||
|
@ -1252,6 +1254,7 @@ int s_server_main(int argc, char *argv[])
|
|||
goto opthelp;
|
||||
break;
|
||||
case OPT_S_CASES:
|
||||
case OPT_S_NUM_TICKETS:
|
||||
if (ssl_args == NULL)
|
||||
ssl_args = sk_OPENSSL_STRING_new_null();
|
||||
if (ssl_args == NULL
|
||||
|
|
|
@ -151,6 +151,8 @@ of RFC4507bis tickets for stateless session resumption.
|
|||
If this option is set this functionality is disabled and tickets will
|
||||
not be used by clients or servers.
|
||||
|
||||
This option only applies to TLSv1.2 and below. It is ignored for TLSv1.3.
|
||||
|
||||
=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
|
||||
|
||||
Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
|
||||
|
|
|
@ -570,6 +570,21 @@ static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value)
|
|||
return rv;
|
||||
}
|
||||
|
||||
|
||||
static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value)
|
||||
{
|
||||
int rv = 0;
|
||||
int num_tickets = atoi(value);
|
||||
|
||||
if (num_tickets >= 0) {
|
||||
if (cctx->ctx)
|
||||
rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets);
|
||||
if (cctx->ssl)
|
||||
rv = SSL_set_num_tickets(cctx->ssl, num_tickets);
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
|
||||
typedef struct {
|
||||
int (*cmd) (SSL_CONF_CTX *cctx, const char *value);
|
||||
const char *str_file;
|
||||
|
@ -655,7 +670,8 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
|
|||
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
|
||||
SSL_CONF_TYPE_FILE),
|
||||
#endif
|
||||
SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0)
|
||||
SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0),
|
||||
SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER)
|
||||
};
|
||||
|
||||
/* Supported switches: must match order of switches in ssl_conf_cmds */
|
||||
|
|
Loading…
Reference in New Issue