From: Matt Caswell Date: Wed, 31 Jan 2018 16:40:03 +0000 (+0000) Subject: Allow configuation of the number of TLSv1.3 session tickets via SSL_CONF X-Git-Tag: OpenSSL_1_1_1-pre7~42 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=394159da608f625b60f07c59e36dc7d01df3a709 Allow configuation of the number of TLSv1.3 session tickets via SSL_CONF Also allows the apps to set it. Reviewed-by: Viktor Dukhovni Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5227) --- diff --git a/apps/apps.h b/apps/apps.h index b45a31aadc..5b98d27500 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -281,8 +281,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate, "Block size to pad TLS 1.3 records to."}, \ {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \ "Perform all sorts of protocol violations for testing purposes"}, \ - {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', "Disable TLSv1.3 middlebox compat mode" } - + {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \ + "Disable TLSv1.3 middlebox compat mode" } # define OPT_S_CASES \ OPT_S__FIRST: case OPT_S__LAST: break; \ diff --git a/apps/s_server.c b/apps/s_server.c index b0e9659b52..5d53250935 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -747,7 +747,7 @@ typedef enum OPTION_choice { OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, - OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_EARLY_DATA, + OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_EARLY_DATA, OPT_S_NUM_TICKETS, OPT_R_ENUM, OPT_S_ENUM, OPT_V_ENUM, @@ -955,6 +955,8 @@ const OPTIONS s_server_options[] = { {"max_early_data", OPT_MAX_EARLY, 'n', "The maximum number of bytes of early data"}, {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"}, + {"num_tickets", OPT_S_NUM_TICKETS, 'n', + "The number of TLSv1.3 session tickets that a server will automatically issue" }, {NULL, OPT_EOF, 0, NULL} }; @@ -1252,6 +1254,7 @@ int s_server_main(int argc, char *argv[]) goto opthelp; break; case OPT_S_CASES: + case OPT_S_NUM_TICKETS: if (ssl_args == NULL) ssl_args = sk_OPENSSL_STRING_new_null(); if (ssl_args == NULL diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 0d510773cd..552de07f8a 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -151,6 +151,8 @@ of RFC4507bis tickets for stateless session resumption. If this option is set this functionality is disabled and tickets will not be used by clients or servers. +This option only applies to TLSv1.2 and below. It is ignored for TLSv1.3. + =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION Allow legacy insecure renegotiation between OpenSSL and unpatched clients or diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index f1e8200b70..758f012938 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -570,6 +570,21 @@ static int cmd_RecordPadding(SSL_CONF_CTX *cctx, const char *value) return rv; } + +static int cmd_NumTickets(SSL_CONF_CTX *cctx, const char *value) +{ + int rv = 0; + int num_tickets = atoi(value); + + if (num_tickets >= 0) { + if (cctx->ctx) + rv = SSL_CTX_set_num_tickets(cctx->ctx, num_tickets); + if (cctx->ssl) + rv = SSL_set_num_tickets(cctx->ssl, num_tickets); + } + return rv; +} + typedef struct { int (*cmd) (SSL_CONF_CTX *cctx, const char *value); const char *str_file; @@ -655,7 +670,8 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE, SSL_CONF_TYPE_FILE), #endif - SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0) + SSL_CONF_CMD_STRING(RecordPadding, "record_padding", 0), + SSL_CONF_CMD_STRING(NumTickets, "num_tickets", SSL_CONF_FLAG_SERVER) }; /* Supported switches: must match order of switches in ssl_conf_cmds */