nghttpx: Disable TLS session ticket if ticket key is not available

This commit is contained in:
Tatsuhiro Tsujikawa 2015-07-29 20:38:49 +09:00
parent 58dd924343
commit d0a37d59a5
4 changed files with 23 additions and 4 deletions

View File

@ -319,7 +319,7 @@ int Connection::tls_handshake() {
auto ssl_ctx = SSL_get_SSL_CTX(tls.ssl); auto ssl_ctx = SSL_get_SSL_CTX(tls.ssl);
SSL_free(tls.ssl); SSL_free(tls.ssl);
auto ssl = ssl::create_ssl(ssl_ctx); auto ssl = ssl::create_server_ssl(ssl_ctx, nullptr);
if (!ssl) { if (!ssl) {
return -1; return -1;
} }

View File

@ -323,7 +323,7 @@ int Http2Session::initiate_connection() {
// We are establishing TLS connection. If conn_.tls.ssl, we may // We are establishing TLS connection. If conn_.tls.ssl, we may
// reuse the previous session. // reuse the previous session.
if (!conn_.tls.ssl) { if (!conn_.tls.ssl) {
auto ssl = ssl::create_ssl(ssl_ctx_); auto ssl = ssl::create_client_ssl(ssl_ctx_);
if (!ssl) { if (!ssl) {
return -1; return -1;
} }

View File

@ -695,6 +695,7 @@ SSL_CTX *create_ssl_client_context() {
return ssl_ctx; return ssl_ctx;
} }
namespace {
SSL *create_ssl(SSL_CTX *ssl_ctx) { SSL *create_ssl(SSL_CTX *ssl_ctx) {
auto ssl = SSL_new(ssl_ctx); auto ssl = SSL_new(ssl_ctx);
if (!ssl) { if (!ssl) {
@ -705,6 +706,23 @@ SSL *create_ssl(SSL_CTX *ssl_ctx) {
return ssl; return ssl;
} }
} // namespace
SSL *create_server_ssl(SSL_CTX *ssl_ctx, Worker *worker) {
auto ssl = create_ssl(ssl_ctx);
if (!ssl) {
return nullptr;
}
// Disable TLS session ticket if we don't have working ticket keys.
if (worker && !worker->get_ticket_keys()) {
SSL_set_options(ssl, SSL_OP_NO_TICKET);
}
return ssl;
}
SSL *create_client_ssl(SSL_CTX *ssl_ctx) { return create_ssl(ssl_ctx); }
ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr, ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
int addrlen) { int addrlen) {
@ -728,7 +746,7 @@ ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
SSL *ssl = nullptr; SSL *ssl = nullptr;
auto ssl_ctx = worker->get_sv_ssl_ctx(); auto ssl_ctx = worker->get_sv_ssl_ctx();
if (ssl_ctx) { if (ssl_ctx) {
ssl = create_ssl(ssl_ctx); ssl = create_server_ssl(ssl_ctx, worker);
if (!ssl) { if (!ssl) {
return nullptr; return nullptr;
} }

View File

@ -172,7 +172,8 @@ SSL_CTX *setup_client_ssl_context();
// this function returns nullptr. // this function returns nullptr.
CertLookupTree *create_cert_lookup_tree(); CertLookupTree *create_cert_lookup_tree();
SSL *create_ssl(SSL_CTX *ssl_ctx); SSL *create_server_ssl(SSL_CTX *ssl_ctx, Worker *worker);
SSL *create_client_ssl(SSL_CTX *ssl_ctx);
} // namespace ssl } // namespace ssl