Commit 394159da authored by Matt Caswell's avatar Matt Caswell
Browse files

Allow configuation of the number of TLSv1.3 session tickets via SSL_CONF 



Also allows the apps to set it.

Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
parent 9d0a8bb7

apps/apps.h

+2 −2
Original line number Diff line number Diff line
@@ -281,8 +281,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, 
            "Block size to pad TLS 1.3 records to."}, \

        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \

            "Perform all sorts of protocol violations for testing purposes"}, \

        {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', "Disable TLSv1.3 middlebox compat mode" }



        {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \

            "Disable TLSv1.3 middlebox compat mode" }



# define OPT_S_CASES \

        OPT_S__FIRST: case OPT_S__LAST: break; \

apps/s_server.c

+4 −1
Original line number Diff line number Diff line
@@ -747,7 +747,7 @@ typedef enum OPTION_choice { 
    OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,

    OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,

    OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,

    OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_EARLY_DATA,

    OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_EARLY_DATA, OPT_S_NUM_TICKETS,

    OPT_R_ENUM,

    OPT_S_ENUM,

    OPT_V_ENUM,
@@ -955,6 +955,8 @@ const OPTIONS s_server_options[] = { 
    {"max_early_data", OPT_MAX_EARLY, 'n',

     "The maximum number of bytes of early data"},

    {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},

    {"num_tickets", OPT_S_NUM_TICKETS, 'n',

     "The number of TLSv1.3 session tickets that a server will automatically  issue" },

    {NULL, OPT_EOF, 0, NULL}

};
@@ -1252,6 +1254,7 @@ int s_server_main(int argc, char *argv[]) 
                goto opthelp;

            break;

        case OPT_S_CASES:

        case OPT_S_NUM_TICKETS:

            if (ssl_args == NULL)

                ssl_args = sk_OPENSSL_STRING_new_null();

            if (ssl_args == NULL

doc/man3/SSL_CTX_set_options.pod

+2 −0
Original line number Diff line number Diff line
@@ -151,6 +151,8 @@ of RFC4507bis tickets for stateless session resumption. 
If this option is set this functionality is disabled and tickets will

not be used by clients or servers.



This option only applies to TLSv1.2 and below. It is ignored for TLSv1.3.



=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION



Allow legacy insecure renegotiation between OpenSSL and unpatched clients or

ssl/ssl_conf.c

+17 −1
Original line number Diff line number Diff line
@@ -570,6 +570,21 @@ static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) 
    return rv;

}





static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value)

{

    int rv = 0;

    int num_tickets = atoi(value);



    if (num_tickets >= 0) {

        if (cctx->ctx)

            rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets);

        if (cctx->ssl)

            rv = SSL_set_num_tickets(cctx->ssl, num_tickets);

    }

    return rv;

}



typedef struct {

    int (*cmd) (SSL_CONF_CTX *cctx, const char *value);

    const char *str_file;
@@ -655,7 +670,8 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { 
                 SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,

                 SSL_CONF_TYPE_FILE),

#endif

    SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0)

    SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0),

    SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER)

};



/* Supported switches: must match order of switches in ssl_conf_cmds */