nghttpx: Structured TLS related configurations

2016-01-18 14:21:09 +09:00 · 2016-01-18 14:21:09 +09:00 · f3e1dc7a4f
parent b12af8c410
commit f3e1dc7a4f
10 changed files with 266 additions and 212 deletions
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@ -903,9 +903,6 @@ void fill_default_config() {
  mod_config()->server_name = "nghttpx nghttp2/" NGHTTP2_VERSION;
  mod_config()->host = strcopy("*");
  mod_config()->port = 3000;
-  mod_config()->private_key_file = nullptr;
-  mod_config()->private_key_passwd = nullptr;
-  mod_config()->cert_file = nullptr;

  // Read timeout for HTTP2 upstream connection
  mod_config()->http2_upstream_read_timeout = 3_min;
@ -957,14 +954,11 @@ void fill_default_config() {
  mod_config()->syslog_facility = LOG_DAEMON;
  // Default accept() backlog
  mod_config()->backlog = 512;
-  mod_config()->ciphers = nullptr;
  mod_config()->http2_proxy = false;
  mod_config()->http2_bridge = false;
  mod_config()->client_proxy = false;
  mod_config()->client = false;
  mod_config()->client_mode = false;
-  mod_config()->insecure = false;
-  mod_config()->cacert = nullptr;
  mod_config()->pid_file = nullptr;
  mod_config()->user = nullptr;
  mod_config()->uid = 0;
@ -981,10 +975,6 @@ void fill_default_config() {
  mod_config()->worker_read_burst = 0;
  mod_config()->worker_write_rate = 0;
  mod_config()->worker_write_burst = 0;
-  mod_config()->verify_client = false;
-  mod_config()->verify_client_cacert = nullptr;
-  mod_config()->client_private_key_file = nullptr;
-  mod_config()->client_cert_file = nullptr;
  mod_config()->http2_upstream_dump_request_header = nullptr;
  mod_config()->http2_upstream_dump_response_header = nullptr;
  mod_config()->http2_no_cookie_crumbling = false;
@ -1002,7 +992,6 @@ void fill_default_config() {
  nghttp2_option_set_peer_max_concurrent_streams(
      get_config()->http2_client_option, 100);

-  mod_config()->tls_proto_mask = 0;
  mod_config()->no_location_rewrite = false;
  mod_config()->no_host_rewrite = true;
  mod_config()->argc = 0;
@ -1015,23 +1004,42 @@ void fill_default_config() {
  mod_config()->no_server_push = false;
  mod_config()->host_unix = false;
  mod_config()->http2_downstream_connections_per_worker = 0;
-  // ocsp update interval = 14400 secs = 4 hours, borrowed from h2o
-  mod_config()->ocsp_update_interval = 4_h;
-  mod_config()->fetch_ocsp_response_file =
-      strcopy(PKGDATADIR "/fetch-ocsp-response");
-  mod_config()->no_ocsp = false;
  mod_config()->header_field_buffer = 64_k;
  mod_config()->max_header_fields = 100;
  mod_config()->downstream_addr_group_catch_all = 0;
-  mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
-  mod_config()->tls_ticket_key_cipher_given = false;
-  mod_config()->tls_session_timeout = std::chrono::hours(12);
-  mod_config()->tls_ticket_key_memcached_max_retry = 3;
-  mod_config()->tls_ticket_key_memcached_max_fail = 2;
-  mod_config()->tls_ticket_key_memcached_interval = 10_min;
  mod_config()->fastopen = 0;
-  mod_config()->tls_dyn_rec_warmup_threshold = 1_m;
-  mod_config()->tls_dyn_rec_idle_timeout = 1.;
+
+  auto &tlsconf = mod_config()->tls;
+  {
+    auto &ticketconf = tlsconf.ticket;
+    ticketconf.cipher = EVP_aes_128_cbc();
+    ticketconf.cipher_given = false;
+
+    {
+      auto &memcachedconf = ticketconf.memcached;
+      memcachedconf.max_retry = 3;
+      memcachedconf.max_fail = 2;
+      memcachedconf.interval = 10_min;
+    }
+
+    auto &ocspconf = tlsconf.ocsp;
+    // ocsp update interval = 14400 secs = 4 hours, borrowed from h2o
+    ocspconf.update_interval = 4_h;
+    ocspconf.fetch_ocsp_response_file =
+        strcopy(PKGDATADIR "/fetch-ocsp-response");
+    ocspconf.disabled = false;
+
+    auto &client_verify = tlsconf.client_verify;
+    client_verify.enabled = false;
+
+    auto &dyn_recconf = tlsconf.dyn_rec;
+    dyn_recconf.warmup_threshold = 1_m;
+    dyn_recconf.idle_timeout = 1.;
+
+    tlsconf.session_timeout = std::chrono::hours(12);
+    tlsconf.tls_proto_mask = 0;
+    tlsconf.insecure = false;
+  }
 }
 } // namespace

@ -1386,8 +1394,7 @@ SSL/TLS:
  --tls-ticket-key-memcached-interval=<DURATION>
              Set interval to get TLS ticket keys from memcached.
              Default: )"
-      << util::duration_str(get_config()->tls_ticket_key_memcached_interval)
-      << R"(
+      << util::duration_str(get_config()->tls.ticket.memcached.interval) << R"(
  --tls-ticket-key-memcached-max-retry=<N>
              Set  maximum   number  of  consecutive   retries  before
              abandoning TLS ticket key  retrieval.  If this number is
@ -1395,13 +1402,11 @@ SSL/TLS:
              "failure" count  is incremented by 1,  which contributed
              to            the            value            controlled
              --tls-ticket-key-memcached-max-fail option.
-              Default: )" << get_config()->tls_ticket_key_memcached_max_retry
-      << R"(
+              Default: )" << get_config()->tls.ticket.memcached.max_retry << R"(
  --tls-ticket-key-memcached-max-fail=<N>
              Set  maximum   number  of  consecutive   failure  before
              disabling TLS ticket until next scheduled key retrieval.
-              Default: )" << get_config()->tls_ticket_key_memcached_max_fail
-      << R"(
+              Default: )" << get_config()->tls.ticket.memcached.max_fail << R"(
  --tls-ticket-key-cipher=<CIPHER>
              Specify cipher  to encrypt TLS session  ticket.  Specify
              either   aes-128-cbc   or  aes-256-cbc.    By   default,
@ -1409,11 +1414,12 @@ SSL/TLS:
  --fetch-ocsp-response-file=<PATH>
              Path to  fetch-ocsp-response script file.  It  should be
              absolute path.
-              Default: )" << get_config()->fetch_ocsp_response_file.get() << R"(
+              Default: )"
+      << get_config()->tls.ocsp.fetch_ocsp_response_file.get() << R"(
  --ocsp-update-interval=<DURATION>
              Set interval to update OCSP response cache.
              Default: )"
-      << util::duration_str(get_config()->ocsp_update_interval) << R"(
+      << util::duration_str(get_config()->tls.ocsp.update_interval) << R"(
  --no-ocsp   Disable OCSP stapling.
  --tls-session-cache-memcached=<HOST>,<PORT>
              Specify  address of  memcached server  to store  session
@ -1431,14 +1437,14 @@ SSL/TLS:
              period.   This  behaviour  applies   to  all  TLS  based
              frontends, and TLS HTTP/2 backends.
              Default: )"
-      << util::utos_unit(get_config()->tls_dyn_rec_warmup_threshold) << R"(
+      << util::utos_unit(get_config()->tls.dyn_rec.warmup_threshold) << R"(
  --tls-dyn-rec-idle-timeout=<DURATION>
              Specify TLS dynamic record  size behaviour timeout.  See
              --tls-dyn-rec-warmup-threshold  for   more  information.
              This behaviour  applies to all TLS  based frontends, and
              TLS HTTP/2 backends.
              Default: )"
-      << util::duration_str(get_config()->tls_dyn_rec_idle_timeout) << R"(
+      << util::duration_str(get_config()->tls.dyn_rec.idle_timeout) << R"(

 HTTP/2 and SPDY:
  -c, --http2-max-concurrent-streams=<N>
@ -2410,18 +2416,19 @@ int main(int argc, char **argv) {
    }
  }

-  if (get_config()->npn_list.empty()) {
-    mod_config()->npn_list = util::parse_config_str_list(DEFAULT_NPN_LIST);
+  auto &tlsconf = mod_config()->tls;
+
+  if (tlsconf.npn_list.empty()) {
+    tlsconf.npn_list = util::parse_config_str_list(DEFAULT_NPN_LIST);
  }
-  if (get_config()->tls_proto_list.empty()) {
-    mod_config()->tls_proto_list =
+  if (tlsconf.tls_proto_list.empty()) {
+    tlsconf.tls_proto_list =
        util::parse_config_str_list(DEFAULT_TLS_PROTO_LIST);
  }

-  mod_config()->tls_proto_mask =
-      ssl::create_tls_proto_mask(get_config()->tls_proto_list);
+  tlsconf.tls_proto_mask = ssl::create_tls_proto_mask(tlsconf.tls_proto_list);

-  mod_config()->alpn_prefs = ssl::set_alpn_prefs(get_config()->npn_list);
+  tlsconf.alpn_prefs = ssl::set_alpn_prefs(tlsconf.npn_list);

  if (get_config()->backend_ipv4 && get_config()->backend_ipv6) {
    LOG(FATAL) << "--backend-ipv4 and --backend-ipv6 cannot be used at the "
@ -2454,18 +2461,18 @@ int main(int argc, char **argv) {
  }

  if (!get_config()->upstream_no_tls &&
-      (!get_config()->private_key_file || !get_config()->cert_file)) {
+      (!tlsconf.private_key_file || !tlsconf.cert_file)) {
    print_usage(std::cerr);
    LOG(FATAL) << "Too few arguments";
    exit(EXIT_FAILURE);
  }

-  if (!get_config()->upstream_no_tls && !get_config()->no_ocsp) {
+  if (!get_config()->upstream_no_tls && !tlsconf.ocsp.disabled) {
    struct stat buf;
-    if (stat(get_config()->fetch_ocsp_response_file.get(), &buf) != 0) {
-      mod_config()->no_ocsp = true;
+    if (stat(tlsconf.ocsp.fetch_ocsp_response_file.get(), &buf) != 0) {
+      tlsconf.ocsp.disabled = true;
      LOG(WARN) << "--fetch-ocsp-response-file: "
-                << get_config()->fetch_ocsp_response_file.get()
+                << tlsconf.ocsp.fetch_ocsp_response_file.get()
                << " not found.  OCSP stapling has been disabled.";
    }
  }
@ -2581,21 +2588,23 @@ int main(int argc, char **argv) {
    }
  }

-  if (get_config()->session_cache_memcached_host) {
-    if (resolve_hostname(&mod_config()->session_cache_memcached_addr,
-                         get_config()->session_cache_memcached_host.get(),
-                         get_config()->session_cache_memcached_port,
-                         AF_UNSPEC) == -1) {
-      exit(EXIT_FAILURE);
+  {
+    auto &memcachedconf = tlsconf.session_cache.memcached;
+    if (memcachedconf.host) {
+      if (resolve_hostname(&memcachedconf.addr, memcachedconf.host.get(),
+                           memcachedconf.port, AF_UNSPEC) == -1) {
+        exit(EXIT_FAILURE);
+      }
    }
  }

-  if (get_config()->tls_ticket_key_memcached_host) {
-    if (resolve_hostname(&mod_config()->tls_ticket_key_memcached_addr,
-                         get_config()->tls_ticket_key_memcached_host.get(),
-                         get_config()->tls_ticket_key_memcached_port,
-                         AF_UNSPEC) == -1) {
-      exit(EXIT_FAILURE);
+  {
+    auto &memcachedconf = tlsconf.ticket.memcached;
+    if (memcachedconf.host) {
+      if (resolve_hostname(&memcachedconf.addr, memcachedconf.host.get(),
+                           memcachedconf.port, AF_UNSPEC) == -1) {
+        exit(EXIT_FAILURE);
+      }
    }
  }

--- a/src/shrpx_client_handler.cc
+++ b/src/shrpx_client_handler.cc
@ -375,8 +375,8 @@ ClientHandler::ClientHandler(Worker *worker, int fd, SSL *ssl,
            get_config()->upstream_read_timeout, get_config()->write_rate,
            get_config()->write_burst, get_config()->read_rate,
            get_config()->read_burst, writecb, readcb, timeoutcb, this,
-            get_config()->tls_dyn_rec_warmup_threshold,
-            get_config()->tls_dyn_rec_idle_timeout),
+            get_config()->tls.dyn_rec.warmup_threshold,
+            get_config()->tls.dyn_rec.idle_timeout),
      pinned_http2sessions_(
          get_config()->downstream_proto == PROTO_HTTP2
              ? make_unique<std::vector<ssize_t>>(
@ -521,7 +521,8 @@ int ClientHandler::validate_next_proto() {
    CLOG(INFO, this) << "The negotiated next protocol: " << proto;
  }

-  if (!ssl::in_proto_list(get_config()->npn_list, next_proto, next_proto_len)) {
+  if (!ssl::in_proto_list(get_config()->tls.npn_list, next_proto,
+                          next_proto_len)) {
    if (LOG_ENABLED(INFO)) {
      CLOG(INFO, this) << "The negotiated protocol is not supported";
    }
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@ -1601,7 +1601,7 @@ int parse_config(const char *opt, const char *optarg,

    return 0;
  case SHRPX_OPTID_BACKEND_TLS_SNI_FIELD:
-    mod_config()->backend_tls_sni_name = optarg;
+    mod_config()->tls.backend_sni_name = optarg;

    return 0;
  case SHRPX_OPTID_PID_FILE:
@ -1622,7 +1622,7 @@ int parse_config(const char *opt, const char *optarg,
    return 0;
  }
  case SHRPX_OPTID_PRIVATE_KEY_FILE:
-    mod_config()->private_key_file = strcopy(optarg);
+    mod_config()->tls.private_key_file = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE: {
@ -1631,16 +1631,16 @@ int parse_config(const char *opt, const char *optarg,
      LOG(ERROR) << opt << ": Couldn't read key file's passwd from " << optarg;
      return -1;
    }
-    mod_config()->private_key_passwd = strcopy(passwd);
+    mod_config()->tls.private_key_passwd = strcopy(passwd);

    return 0;
  }
  case SHRPX_OPTID_CERTIFICATE_FILE:
-    mod_config()->cert_file = strcopy(optarg);
+    mod_config()->tls.cert_file = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_DH_PARAM_FILE:
-    mod_config()->dh_param_file = strcopy(optarg);
+    mod_config()->tls.dh_param_file = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_SUBCERT: {
@ -1649,7 +1649,7 @@ int parse_config(const char *opt, const char *optarg,
    if (sp) {
      std::string keyfile(optarg, sp);
      // TODO Do we need private key for subcert?
-      mod_config()->subcerts.emplace_back(keyfile, sp + 1);
+      mod_config()->tls.subcerts.emplace_back(keyfile, sp + 1);
    }

    return 0;
@ -1681,7 +1681,7 @@ int parse_config(const char *opt, const char *optarg,
    return 0;
  }
  case SHRPX_OPTID_CIPHERS:
-    mod_config()->ciphers = strcopy(optarg);
+    mod_config()->tls.ciphers = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_CLIENT:
@ -1689,11 +1689,11 @@ int parse_config(const char *opt, const char *optarg,

    return 0;
  case SHRPX_OPTID_INSECURE:
-    mod_config()->insecure = util::strieq(optarg, "yes");
+    mod_config()->tls.insecure = util::strieq(optarg, "yes");

    return 0;
  case SHRPX_OPTID_CACERT:
-    mod_config()->cacert = strcopy(optarg);
+    mod_config()->tls.cacert = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_BACKEND_IPV4:
@ -1762,27 +1762,27 @@ int parse_config(const char *opt, const char *optarg,
    LOG(WARN) << opt << ": not implemented yet";
    return parse_uint_with_unit(&mod_config()->worker_write_burst, opt, optarg);
  case SHRPX_OPTID_NPN_LIST:
-    mod_config()->npn_list = util::parse_config_str_list(optarg);
+    mod_config()->tls.npn_list = util::parse_config_str_list(optarg);

    return 0;
  case SHRPX_OPTID_TLS_PROTO_LIST:
-    mod_config()->tls_proto_list = util::parse_config_str_list(optarg);
+    mod_config()->tls.tls_proto_list = util::parse_config_str_list(optarg);

    return 0;
  case SHRPX_OPTID_VERIFY_CLIENT:
-    mod_config()->verify_client = util::strieq(optarg, "yes");
+    mod_config()->tls.client_verify.enabled = util::strieq(optarg, "yes");

    return 0;
  case SHRPX_OPTID_VERIFY_CLIENT_CACERT:
-    mod_config()->verify_client_cacert = strcopy(optarg);
+    mod_config()->tls.client_verify.cacert = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE:
-    mod_config()->client_private_key_file = strcopy(optarg);
+    mod_config()->tls.client.private_key_file = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_CLIENT_CERT_FILE:
-    mod_config()->client_cert_file = strcopy(optarg);
+    mod_config()->tls.client.cert_file = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER:
@ -1899,7 +1899,7 @@ int parse_config(const char *opt, const char *optarg,
  case SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT:
    return parse_duration(&mod_config()->listener_disable_timeout, opt, optarg);
  case SHRPX_OPTID_TLS_TICKET_KEY_FILE:
-    mod_config()->tls_ticket_key_files.push_back(optarg);
+    mod_config()->tls.ticket.files.push_back(optarg);
    return 0;
  case SHRPX_OPTID_RLIMIT_NOFILE: {
    int n;
@ -1948,13 +1948,13 @@ int parse_config(const char *opt, const char *optarg,
    return parse_uint(&mod_config()->http2_downstream_connections_per_worker,
                      opt, optarg);
  case SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE:
-    mod_config()->fetch_ocsp_response_file = strcopy(optarg);
+    mod_config()->tls.ocsp.fetch_ocsp_response_file = strcopy(optarg);

    return 0;
  case SHRPX_OPTID_OCSP_UPDATE_INTERVAL:
-    return parse_duration(&mod_config()->ocsp_update_interval, opt, optarg);
+    return parse_duration(&mod_config()->tls.ocsp.update_interval, opt, optarg);
  case SHRPX_OPTID_NO_OCSP:
-    mod_config()->no_ocsp = util::strieq(optarg, "yes");
+    mod_config()->tls.ocsp.disabled = util::strieq(optarg, "yes");

    return 0;
  case SHRPX_OPTID_HEADER_FIELD_BUFFER:
@ -1980,15 +1980,15 @@ int parse_config(const char *opt, const char *optarg,
  }
  case SHRPX_OPTID_TLS_TICKET_KEY_CIPHER:
    if (util::strieq(optarg, "aes-128-cbc")) {
-      mod_config()->tls_ticket_key_cipher = EVP_aes_128_cbc();
+      mod_config()->tls.ticket.cipher = EVP_aes_128_cbc();
    } else if (util::strieq(optarg, "aes-256-cbc")) {
-      mod_config()->tls_ticket_key_cipher = EVP_aes_256_cbc();
+      mod_config()->tls.ticket.cipher = EVP_aes_256_cbc();
    } else {
      LOG(ERROR) << opt
                 << ": unsupported cipher for ticket encryption: " << optarg;
      return -1;
    }
-    mod_config()->tls_ticket_key_cipher_given = true;
+    mod_config()->tls.ticket.cipher_given = true;

    return 0;
  case SHRPX_OPTID_HOST_REWRITE:
@ -2001,8 +2001,9 @@ int parse_config(const char *opt, const char *optarg,
      return -1;
    }

-    mod_config()->session_cache_memcached_host = strcopy(host);
-    mod_config()->session_cache_memcached_port = port;
+    auto &memcachedconf = mod_config()->tls.session_cache.memcached;
+    memcachedconf.host = strcopy(host);
+    memcachedconf.port = port;

    return 0;
  }
@ -2012,13 +2013,14 @@ int parse_config(const char *opt, const char *optarg,
      return -1;
    }

-    mod_config()->tls_ticket_key_memcached_host = strcopy(host);
-    mod_config()->tls_ticket_key_memcached_port = port;
+    auto &memcachedconf = mod_config()->tls.ticket.memcached;
+    memcachedconf.host = strcopy(host);
+    memcachedconf.port = port;

    return 0;
  }
  case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL:
-    return parse_duration(&mod_config()->tls_ticket_key_memcached_interval, opt,
+    return parse_duration(&mod_config()->tls.ticket.memcached.interval, opt,
                          optarg);
  case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY: {
    int n;
@ -2031,11 +2033,11 @@ int parse_config(const char *opt, const char *optarg,
      return -1;
    }

-    mod_config()->tls_ticket_key_memcached_max_retry = n;
+    mod_config()->tls.ticket.memcached.max_retry = n;
    return 0;
  }
  case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL:
-    return parse_uint(&mod_config()->tls_ticket_key_memcached_max_fail, opt,
+    return parse_uint(&mod_config()->tls.ticket.memcached.max_fail, opt,
                      optarg);
  case SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD: {
    size_t n;
@ -2043,13 +2045,13 @@ int parse_config(const char *opt, const char *optarg,
      return -1;
    }

-    mod_config()->tls_dyn_rec_warmup_threshold = n;
+    mod_config()->tls.dyn_rec.warmup_threshold = n;

    return 0;
  }

  case SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT:
-    return parse_duration(&mod_config()->tls_dyn_rec_idle_timeout, opt, optarg);
+    return parse_duration(&mod_config()->tls.dyn_rec.idle_timeout, opt, optarg);

  case SHRPX_OPTID_MRUBY_FILE:
 #ifdef HAVE_MRUBY
--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@ -292,25 +292,94 @@ struct HttpProxy {
  uint16_t port;
 };

-struct Config {
+struct TLSConfig {
+  // RFC 5077 Session ticket related configurations
+  struct {
+    struct {
+      Address addr;
+      uint16_t port;
+      std::unique_ptr<char[]> host;
+      ev_tstamp interval;
+      // Maximum number of retries when getting TLS ticket key from
+      // mamcached, due to network error.
+      size_t max_retry;
+      // Maximum number of consecutive error from memcached, when this
+      // limit reached, TLS ticket is disabled.
+      size_t max_fail;
+    } memcached;
+    std::vector<std::string> files;
+    const EVP_CIPHER *cipher;
+    // true if --tls-ticket-key-cipher is used
+    bool cipher_given;
+  } ticket;
+
+  // Session cache related configurations
+  struct {
+    struct {
+      Address addr;
+      uint16_t port;
+      std::unique_ptr<char[]> host;
+    } memcached;
+  } session_cache;
+
+  // Dynamic record sizing configurations
+  struct {
+    size_t warmup_threshold;
+    ev_tstamp idle_timeout;
+  } dyn_rec;
+
+  // OCSP realted configurations
+  struct {
+    ev_tstamp update_interval;
+    std::unique_ptr<char[]> fetch_ocsp_response_file;
+    bool disabled;
+  } ocsp;
+
+  // Client verification configurations
+  struct {
+    // Path to file containing CA certificate solely used for client
+    // certificate validation
+    std::unique_ptr<char[]> cacert;
+    bool enabled;
+  } client_verify;
+
+  // Client private key and certificate used in backend connections.
+  struct {
+    std::unique_ptr<char[]> private_key_file;
+    std::unique_ptr<char[]> cert_file;
+  } client;
+
  // The list of (private key file, certificate file) pair
  std::vector<std::pair<std::string, std::string>> subcerts;
-  std::vector<AltSvc> altsvcs;
-  std::vector<std::pair<std::string, std::string>> add_request_headers;
-  std::vector<std::pair<std::string, std::string>> add_response_headers;
  std::vector<unsigned char> alpn_prefs;
-  std::vector<LogFragment> accesslog_format;
-  std::vector<DownstreamAddrGroup> downstream_addr_groups;
-  std::vector<std::string> tls_ticket_key_files;
  // list of supported NPN/ALPN protocol strings in the order of
  // preference.
  std::vector<std::string> npn_list;
  // list of supported SSL/TLS protocol strings.
  std::vector<std::string> tls_proto_list;
-  Address session_cache_memcached_addr;
-  Address tls_ticket_key_memcached_addr;
+  // Bit mask to disable SSL/TLS protocol versions.  This will be
+  // passed to SSL_CTX_set_options().
+  long int tls_proto_mask;
+  std::string backend_sni_name;
+  std::chrono::seconds session_timeout;
+  std::unique_ptr<char[]> private_key_file;
+  std::unique_ptr<char[]> private_key_passwd;
+  std::unique_ptr<char[]> cert_file;
+  std::unique_ptr<char[]> dh_param_file;
+  std::unique_ptr<char[]> ciphers;
+  std::unique_ptr<char[]> cacert;
+  bool insecure;
+};
+
+struct Config {
+  std::vector<AltSvc> altsvcs;
+  std::vector<std::pair<std::string, std::string>> add_request_headers;
+  std::vector<std::pair<std::string, std::string>> add_response_headers;
+  std::vector<LogFragment> accesslog_format;
+  std::vector<DownstreamAddrGroup> downstream_addr_groups;
  Router router;
  HttpProxy downstream_http_proxy;
+  TLSConfig tls;
  // obfuscated value used in "by" parameter of Forwarded header
  // field.
  std::string forwarded_by_obfuscated;
@ -318,9 +387,7 @@ struct Config {
  // field.  This is only used when user defined static obfuscated
  // string is provided.
  std::string forwarded_for_obfuscated;
-  std::string backend_tls_sni_name;
  StringRef server_name;
-  std::chrono::seconds tls_session_timeout;
  ev_tstamp http2_upstream_read_timeout;
  ev_tstamp upstream_read_timeout;
  ev_tstamp upstream_write_timeout;
@ -330,32 +397,16 @@ struct Config {
  ev_tstamp stream_write_timeout;
  ev_tstamp downstream_idle_read_timeout;
  ev_tstamp listener_disable_timeout;
-  ev_tstamp ocsp_update_interval;
-  ev_tstamp tls_ticket_key_memcached_interval;
  // address of frontend connection.  This could be a path to UNIX
  // domain socket.  In this case, |host_unix| must be true.
  std::unique_ptr<char[]> host;
-  std::unique_ptr<char[]> private_key_file;
-  std::unique_ptr<char[]> private_key_passwd;
-  std::unique_ptr<char[]> cert_file;
-  std::unique_ptr<char[]> dh_param_file;
  std::unique_ptr<char[]> pid_file;
  std::unique_ptr<char[]> conf_path;
-  std::unique_ptr<char[]> ciphers;
-  std::unique_ptr<char[]> cacert;
  std::unique_ptr<char[]> http2_upstream_dump_request_header_file;
  std::unique_ptr<char[]> http2_upstream_dump_response_header_file;
-  // Path to file containing CA certificate solely used for client
-  // certificate validation
-  std::unique_ptr<char[]> verify_client_cacert;
-  std::unique_ptr<char[]> client_private_key_file;
-  std::unique_ptr<char[]> client_cert_file;
  std::unique_ptr<char[]> accesslog_file;
  std::unique_ptr<char[]> errorlog_file;
-  std::unique_ptr<char[]> fetch_ocsp_response_file;
  std::unique_ptr<char[]> user;
-  std::unique_ptr<char[]> session_cache_memcached_host;
-  std::unique_ptr<char[]> tls_ticket_key_memcached_host;
  std::unique_ptr<char[]> mruby_file;
  FILE *http2_upstream_dump_request_header;
  FILE *http2_upstream_dump_response_header;
@ -363,7 +414,6 @@ struct Config {
  nghttp2_session_callbacks *http2_downstream_callbacks;
  nghttp2_option *http2_option;
  nghttp2_option *http2_client_option;
-  const EVP_CIPHER *tls_ticket_key_cipher;
  char **original_argv;
  char **argv;
  char *cwd;
@ -393,15 +443,6 @@ struct Config {
  size_t max_header_fields;
  // The index of catch-all group in downstream_addr_groups.
  size_t downstream_addr_group_catch_all;
-  // Maximum number of retries when getting TLS ticket key from
-  // mamcached, due to network error.
-  size_t tls_ticket_key_memcached_max_retry;
-  // Maximum number of consecutive error from memcached, when this
-  // limit reached, TLS ticket is disabled.
-  size_t tls_ticket_key_memcached_max_fail;
-  // Bit mask to disable SSL/TLS protocol versions.  This will be
-  // passed to SSL_CTX_set_options().
-  long int tls_proto_mask;
  // downstream protocol; this will be determined by given options.
  shrpx_proto downstream_proto;
  // bitwise-OR of one or more of shrpx_forwarded_param values.
@ -424,11 +465,8 @@ struct Config {
  uint16_t port;
  // port in http proxy URI
  uint16_t downstream_http_proxy_port;
-  uint16_t session_cache_memcached_port;
-  uint16_t tls_ticket_key_memcached_port;
  bool verbose;
  bool daemon;
-  bool verify_client;
  bool http2_proxy;
  bool http2_bridge;
  bool client_proxy;
@ -445,7 +483,6 @@ struct Config {
  bool client;
  // true if --client or --client-proxy are enabled.
  bool client_mode;
-  bool insecure;
  bool backend_ipv4;
  bool backend_ipv6;
  bool http2_no_cookie_crumbling;
@ -455,12 +492,7 @@ struct Config {
  bool no_server_push;
  // true if host contains UNIX domain socket path
  bool host_unix;
-  bool no_ocsp;
-  // true if --tls-ticket-key-cipher is used
-  bool tls_ticket_key_cipher_given;
  bool accept_proxy_protocol;
-  size_t tls_dyn_rec_warmup_threshold;
-  ev_tstamp tls_dyn_rec_idle_timeout;
 };

 const Config *get_config();
--- a/src/shrpx_connection_handler.cc
+++ b/src/shrpx_connection_handler.cc
@ -450,7 +450,7 @@ int ConnectionHandler::start_ocsp_update(const char *cert_file) {
  assert(!ev_is_active(&ocsp_.chldev));

  char *const argv[] = {
-      const_cast<char *>(get_config()->fetch_ocsp_response_file.get()),
+      const_cast<char *>(get_config()->tls.ocsp.fetch_ocsp_response_file.get()),
      const_cast<char *>(cert_file), nullptr};
  char *const envp[] = {nullptr};

@ -634,7 +634,7 @@ void ConnectionHandler::proceed_next_cert_ocsp() {
    if (ocsp_.next == all_ssl_ctx_.size()) {
      ocsp_.next = 0;
      // We have updated all ocsp response, and schedule next update.
-      ev_timer_set(&ocsp_timer_, get_config()->ocsp_update_interval, 0.);
+      ev_timer_set(&ocsp_timer_, get_config()->tls.ocsp.update_interval, 0.);
      ev_timer_start(loop_, &ocsp_timer_);
      return;
    }
@ -673,7 +673,7 @@ ConnectionHandler::get_tls_ticket_key_memcached_dispatcher() const {

 void ConnectionHandler::on_tls_ticket_key_network_error(ev_timer *w) {
  if (++tls_ticket_key_memcached_get_retry_count_ >=
-      get_config()->tls_ticket_key_memcached_max_retry) {
+      get_config()->tls.ticket.memcached.max_retry) {
    LOG(WARN) << "Memcached: tls ticket get retry all failed "
              << tls_ticket_key_memcached_get_retry_count_ << " times.";

@ -697,7 +697,7 @@ void ConnectionHandler::on_tls_ticket_key_not_found(ev_timer *w) {
  tls_ticket_key_memcached_get_retry_count_ = 0;

  if (++tls_ticket_key_memcached_fail_count_ >=
-      get_config()->tls_ticket_key_memcached_max_fail) {
+      get_config()->tls.ticket.memcached.max_fail) {
    LOG(WARN) << "Memcached: could not get tls ticket; disable tls ticket";

    tls_ticket_key_memcached_fail_count_ = 0;
@ -742,7 +742,7 @@ void ConnectionHandler::on_tls_ticket_key_get_success(

 void ConnectionHandler::schedule_next_tls_ticket_key_memcached_get(
    ev_timer *w) {
-  ev_timer_set(w, get_config()->tls_ticket_key_memcached_interval, 0.);
+  ev_timer_set(w, get_config()->tls.ticket.memcached.interval, 0.);
  ev_timer_start(loop_, w);
 }

--- a/src/shrpx_http2_session.cc
+++ b/src/shrpx_http2_session.cc
@ -148,8 +148,8 @@ Http2Session::Http2Session(struct ev_loop *loop, SSL_CTX *ssl_ctx,
    : conn_(loop, -1, nullptr, worker->get_mcpool(),
            get_config()->downstream_write_timeout,
            get_config()->downstream_read_timeout, 0, 0, 0, 0, writecb, readcb,
-            timeoutcb, this, get_config()->tls_dyn_rec_warmup_threshold,
-            get_config()->tls_dyn_rec_idle_timeout),
+            timeoutcb, this, get_config()->tls.dyn_rec.warmup_threshold,
+            get_config()->tls.dyn_rec.idle_timeout),
      worker_(worker), connect_blocker_(connect_blocker), ssl_ctx_(ssl_ctx),
      session_(nullptr), data_pending_(nullptr), data_pendinglen_(0),
      addr_idx_(0), group_(group), index_(idx), state_(DISCONNECTED),
@ -331,8 +331,8 @@ int Http2Session::initiate_connection() {
        conn_.set_ssl(ssl);
      }

-      StringRef sni_name = !get_config()->backend_tls_sni_name.empty()
-                               ? get_config()->backend_tls_sni_name
+      StringRef sni_name = !get_config()->tls.backend_sni_name.empty()
+                               ? get_config()->tls.backend_sni_name
                               : downstream_addr.host;

      if (!util::numeric_host(sni_name.c_str())) {
@ -1718,7 +1718,7 @@ int Http2Session::tls_handshake() {
    SSLOG(INFO, this) << "SSL/TLS handshake completed";
  }

-  if (!get_config()->downstream_no_tls && !get_config()->insecure &&
+  if (!get_config()->downstream_no_tls && !get_config()->tls.insecure &&
      check_cert() != 0) {
    return -1;
  }
--- a/src/shrpx_http_downstream_connection.cc
+++ b/src/shrpx_http_downstream_connection.cc
@ -115,8 +115,8 @@ HttpDownstreamConnection::HttpDownstreamConnection(
    : DownstreamConnection(dconn_pool),
      conn_(loop, -1, nullptr, nullptr, get_config()->downstream_write_timeout,
            get_config()->downstream_read_timeout, 0, 0, 0, 0, connectcb,
-            readcb, timeoutcb, this, get_config()->tls_dyn_rec_warmup_threshold,
-            get_config()->tls_dyn_rec_idle_timeout),
+            readcb, timeoutcb, this, get_config()->tls.dyn_rec.warmup_threshold,
+            get_config()->tls.dyn_rec.idle_timeout),
      ioctrl_(&conn_.rlimit), response_htp_{0}, group_(group), addr_idx_(0),
      connected_(false) {}

--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@ -70,7 +70,7 @@ namespace ssl {
 namespace {
 int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
                  void *arg) {
-  auto &prefs = get_config()->alpn_prefs;
+  auto &prefs = get_config()->tls.alpn_prefs;
  *data = prefs.data();
  *len = prefs.size();
  return SSL_TLSEXT_ERR_OK;
@ -124,13 +124,13 @@ set_alpn_prefs(const std::vector<std::string> &protos) {
 namespace {
 int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data) {
  auto config = static_cast<Config *>(user_data);
-  int len = (int)strlen(config->private_key_passwd.get());
+  int len = (int)strlen(config->tls.private_key_passwd.get());
  if (size < len + 1) {
    LOG(ERROR) << "ssl_pem_passwd_cb: buf is too small " << size;
    return 0;
  }
  // Copy string including last '\0'.
-  memcpy(buf, config->private_key_passwd.get(), len + 1);
+  memcpy(buf, config->tls.private_key_passwd.get(), len + 1);
  return len;
 }
 } // namespace
@ -346,7 +346,7 @@ int ticket_key_cb(SSL *ssl, unsigned char *key_name, unsigned char *iv,

    std::copy(std::begin(key.data.name), std::end(key.data.name), key_name);

-    EVP_EncryptInit_ex(ctx, get_config()->tls_ticket_key_cipher, nullptr,
+    EVP_EncryptInit_ex(ctx, get_config()->tls.ticket.cipher, nullptr,
                       key.data.enc_key.data(), iv);
    HMAC_Init_ex(hctx, key.data.hmac_key.data(), key.hmac_keylen, key.hmac,
                 nullptr);
@ -411,7 +411,7 @@ int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
  // We assume that get_config()->npn_list contains ALPN protocol
  // identifier sorted by preference order.  So we just break when we
  // found the first overlap.
-  for (const auto &target_proto_id : get_config()->npn_list) {
+  for (const auto &target_proto_id : get_config()->tls.npn_list) {
    for (auto p = in, end = in + inlen; p < end;) {
      auto proto_id = p + 1;
      auto proto_len = *p;
@ -477,22 +477,24 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
      SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE |
      SSL_OP_SINGLE_DH_USE | SSL_OP_CIPHER_SERVER_PREFERENCE;

-  SSL_CTX_set_options(ssl_ctx, ssl_opts | get_config()->tls_proto_mask);
+  auto &tlsconf = get_config()->tls;
+
+  SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);

  const unsigned char sid_ctx[] = "shrpx";
  SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
  SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);

-  if (get_config()->session_cache_memcached_host) {
+  if (tlsconf.session_cache.memcached.host) {
    SSL_CTX_sess_set_new_cb(ssl_ctx, tls_session_new_cb);
    SSL_CTX_sess_set_get_cb(ssl_ctx, tls_session_get_cb);
  }

-  SSL_CTX_set_timeout(ssl_ctx, get_config()->tls_session_timeout.count());
+  SSL_CTX_set_timeout(ssl_ctx, tlsconf.session_timeout.count());

  const char *ciphers;
-  if (get_config()->ciphers) {
-    ciphers = get_config()->ciphers.get();
+  if (tlsconf.ciphers) {
+    ciphers = tlsconf.ciphers.get();
  } else {
    ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
  }
@ -525,9 +527,9 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file

 #endif // OPENSSL_NO_EC

-  if (get_config()->dh_param_file) {
+  if (tlsconf.dh_param_file) {
    // Read DH parameters from file
-    auto bio = BIO_new_file(get_config()->dh_param_file.get(), "r");
+    auto bio = BIO_new_file(tlsconf.dh_param_file.get(), "r");
    if (bio == nullptr) {
      LOG(FATAL) << "BIO_new_file() failed: "
                 << ERR_error_string(ERR_get_error(), nullptr);
@ -546,7 +548,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file

  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
  SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
-  if (get_config()->private_key_passwd) {
+  if (tlsconf.private_key_passwd) {
    SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
    SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *)get_config());
  }
@ -576,14 +578,13 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
               << ERR_error_string(ERR_get_error(), nullptr);
    DIE();
  }
-  if (get_config()->verify_client) {
-    if (get_config()->verify_client_cacert) {
+  if (tlsconf.client_verify.enabled) {
+    if (tlsconf.client_verify.cacert) {
      if (SSL_CTX_load_verify_locations(
-              ssl_ctx, get_config()->verify_client_cacert.get(), nullptr) !=
-          1) {
+              ssl_ctx, tlsconf.client_verify.cacert.get(), nullptr) != 1) {

        LOG(FATAL) << "Could not load trusted ca certificates from "
-                   << get_config()->verify_client_cacert.get() << ": "
+                   << tlsconf.client_verify.cacert.get() << ": "
                   << ERR_error_string(ERR_get_error(), nullptr);
        DIE();
      }
@ -591,11 +592,10 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
      // error even though it returns success. See
      // http://forum.nginx.org/read.php?29,242540
      ERR_clear_error();
-      auto list =
-          SSL_load_client_CA_file(get_config()->verify_client_cacert.get());
+      auto list = SSL_load_client_CA_file(tlsconf.client_verify.cacert.get());
      if (!list) {
        LOG(FATAL) << "Could not load ca certificates from "
-                   << get_config()->verify_client_cacert.get() << ": "
+                   << tlsconf.client_verify.cacert.get() << ": "
                   << ERR_error_string(ERR_get_error(), nullptr);
        DIE();
      }
@ -656,11 +656,13 @@ SSL_CTX *create_ssl_client_context(
                            SSL_OP_NO_COMPRESSION |
                            SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;

-  SSL_CTX_set_options(ssl_ctx, ssl_opts | get_config()->tls_proto_mask);
+  auto &tlsconf = get_config()->tls;
+
+  SSL_CTX_set_options(ssl_ctx, ssl_opts | tlsconf.tls_proto_mask);

  const char *ciphers;
-  if (get_config()->ciphers) {
-    ciphers = get_config()->ciphers.get();
+  if (tlsconf.ciphers) {
+    ciphers = tlsconf.ciphers.get();
  } else {
    ciphers = nghttp2::ssl::DEFAULT_CIPHER_LIST;
  }
@ -678,44 +680,44 @@ SSL_CTX *create_ssl_client_context(
              << ERR_error_string(ERR_get_error(), nullptr);
  }

-  if (get_config()->cacert) {
-    if (SSL_CTX_load_verify_locations(ssl_ctx, get_config()->cacert.get(),
-                                      nullptr) != 1) {
+  if (tlsconf.cacert) {
+    if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.get(), nullptr) !=
+        1) {

      LOG(FATAL) << "Could not load trusted ca certificates from "
-                 << get_config()->cacert.get() << ": "
+                 << tlsconf.cacert.get() << ": "
                 << ERR_error_string(ERR_get_error(), nullptr);
      DIE();
    }
  }

-  if (get_config()->client_private_key_file) {
+  if (tlsconf.client.private_key_file) {
 #ifndef HAVE_NEVERBLEED
    if (SSL_CTX_use_PrivateKey_file(ssl_ctx,
-                                    get_config()->client_private_key_file.get(),
+                                    tlsconf.client.private_key_file.get(),
                                    SSL_FILETYPE_PEM) != 1) {
      LOG(FATAL) << "Could not load client private key from "
-                 << get_config()->client_private_key_file.get() << ": "
+                 << tlsconf.client.private_key_file.get() << ": "
                 << ERR_error_string(ERR_get_error(), nullptr);
      DIE();
    }
 #else  // HAVE_NEVERBLEED
    std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
-    if (neverbleed_load_private_key_file(
-            nb, ssl_ctx, get_config()->client_private_key_file.get(),
-            errbuf.data()) != 1) {
+    if (neverbleed_load_private_key_file(nb, ssl_ctx,
+                                         tlsconf.client.private_key_file.get(),
+                                         errbuf.data()) != 1) {
      LOG(FATAL) << "neverbleed_load_private_key_file failed: "
                 << errbuf.data();
      DIE();
    }
 #endif // HAVE_NEVERBLEED
  }
-  if (get_config()->client_cert_file) {
+  if (tlsconf.client.cert_file) {
    if (SSL_CTX_use_certificate_chain_file(
-            ssl_ctx, get_config()->client_cert_file.get()) != 1) {
+            ssl_ctx, tlsconf.client.cert_file.get()) != 1) {

      LOG(FATAL) << "Could not load client certificate from "
-                 << get_config()->client_cert_file.get() << ": "
+                 << tlsconf.client.cert_file.get() << ": "
                 << ERR_error_string(ERR_get_error(), nullptr);
      DIE();
    }
@ -971,9 +973,11 @@ int check_cert(SSL *ssl, const DownstreamAddr *addr) {
               << X509_verify_cert_error_string(verify_res);
    return -1;
  }
-  auto hostname = !get_config()->backend_tls_sni_name.empty()
-                      ? StringRef(get_config()->backend_tls_sni_name)
-                      : StringRef(addr->host);
+
+  auto &backend_sni_name = get_config()->tls.backend_sni_name;
+
+  auto hostname = !backend_sni_name.empty() ? StringRef(backend_sni_name)
+                                            : StringRef(addr->host);
  if (verify_hostname(cert, hostname.c_str(), hostname.size(), &addr->addr) !=
      0) {
    LOG(ERROR) << "Certificate verification failed: hostname does not match";
@ -1214,8 +1218,10 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
    return nullptr;
  }

-  auto ssl_ctx = ssl::create_ssl_context(get_config()->private_key_file.get(),
-                                         get_config()->cert_file.get()
+  auto &tlsconf = get_config()->tls;
+
+  auto ssl_ctx = ssl::create_ssl_context(tlsconf.private_key_file.get(),
+                                         tlsconf.cert_file.get()
 #ifdef HAVE_NEVERBLEED
                                             ,
                                         nb
@ -1224,7 +1230,7 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,

  all_ssl_ctx.push_back(ssl_ctx);

-  if (get_config()->subcerts.empty()) {
+  if (tlsconf.subcerts.empty()) {
    return ssl_ctx;
  }

@ -1234,7 +1240,7 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
    return ssl_ctx;
  }

-  for (auto &keycert : get_config()->subcerts) {
+  for (auto &keycert : tlsconf.subcerts) {
    auto ssl_ctx =
        ssl::create_ssl_context(keycert.first.c_str(), keycert.second.c_str()
 #ifdef HAVE_NEVERBLEED
@ -1250,8 +1256,8 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
    }
  }

-  if (ssl::cert_lookup_tree_add_cert_from_file(
-          cert_tree, ssl_ctx, get_config()->cert_file.get()) == -1) {
+  if (ssl::cert_lookup_tree_add_cert_from_file(cert_tree, ssl_ctx,
+                                               tlsconf.cert_file.get()) == -1) {
    LOG(FATAL) << "Failed to add default certificate.";
    DIE();
  }
@ -1284,7 +1290,7 @@ SSL_CTX *setup_client_ssl_context(
 }

 CertLookupTree *create_cert_lookup_tree() {
-  if (get_config()->upstream_no_tls || get_config()->subcerts.empty()) {
+  if (get_config()->upstream_no_tls || get_config()->tls.subcerts.empty()) {
    return nullptr;
  }
  return new ssl::CertLookupTree();
--- a/src/shrpx_worker.cc
+++ b/src/shrpx_worker.cc
@ -83,9 +83,11 @@ Worker::Worker(struct ev_loop *loop, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx,
  ev_timer_init(&mcpool_clear_timer_, mcpool_clear_cb, 0., 0.);
  mcpool_clear_timer_.data = this;

-  if (get_config()->session_cache_memcached_host) {
+  auto &session_cacheconf = get_config()->tls.session_cache;
+
+  if (session_cacheconf.memcached.host) {
    session_cache_memcached_dispatcher_ = make_unique<MemcachedDispatcher>(
-        &get_config()->session_cache_memcached_addr, loop);
+        &session_cacheconf.memcached.addr, loop);
  }

  if (get_config()->downstream_proto == PROTO_HTTP2) {
--- a/src/shrpx_worker_process.cc
+++ b/src/shrpx_worker_process.cc
@ -170,7 +170,7 @@ void ipc_readcb(struct ev_loop *loop, ev_io *w, int revents) {

 namespace {
 int generate_ticket_key(TicketKey &ticket_key) {
-  ticket_key.cipher = get_config()->tls_ticket_key_cipher;
+  ticket_key.cipher = get_config()->tls.ticket.cipher;
  ticket_key.hmac = EVP_sha256();
  ticket_key.hmac_keylen = EVP_MD_size(ticket_key.hmac);

@ -217,7 +217,7 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) {

    auto max_tickets =
        static_cast<size_t>(std::chrono::duration_cast<std::chrono::hours>(
-                                get_config()->tls_session_timeout).count());
+                                get_config()->tls.session_timeout).count());

    new_keys.resize(std::min(max_tickets, old_keys.size() + 1));
    std::copy_n(std::begin(old_keys), new_keys.size() - 1,
@ -297,14 +297,16 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
    auto end = p + value.size();
    p += 4;

+    auto &ticketconf = get_config()->tls.ticket;
+
    size_t expectedlen;
    size_t enc_keylen;
    size_t hmac_keylen;
-    if (get_config()->tls_ticket_key_cipher == EVP_aes_128_cbc()) {
+    if (ticketconf.cipher == EVP_aes_128_cbc()) {
      expectedlen = 48;
      enc_keylen = 16;
      hmac_keylen = 16;
-    } else if (get_config()->tls_ticket_key_cipher == EVP_aes_256_cbc()) {
+    } else if (ticketconf.cipher == EVP_aes_256_cbc()) {
      expectedlen = 80;
      enc_keylen = 32;
      hmac_keylen = 32;
@ -335,7 +337,7 @@ void memcached_get_ticket_key_cb(struct ev_loop *loop, ev_timer *w,
        return;
      }
      auto key = TicketKey();
-      key.cipher = get_config()->tls_ticket_key_cipher;
+      key.cipher = ticketconf.cipher;
      key.hmac = EVP_sha256();
      key.hmac_keylen = hmac_keylen;

@ -423,10 +425,11 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {

  ev_timer renew_ticket_key_timer;
  if (!get_config()->upstream_no_tls) {
-    if (get_config()->tls_ticket_key_memcached_host) {
+    auto &ticketconf = get_config()->tls.ticket;
+
+    if (ticketconf.memcached.host) {
      conn_handler.set_tls_ticket_key_memcached_dispatcher(
-          make_unique<MemcachedDispatcher>(
-              &get_config()->tls_ticket_key_memcached_addr, loop));
+          make_unique<MemcachedDispatcher>(&ticketconf.memcached.addr, loop));

      ev_timer_init(&renew_ticket_key_timer, memcached_get_ticket_key_cb, 0.,
                    0.);
@ -435,8 +438,8 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
      memcached_get_ticket_key_cb(loop, &renew_ticket_key_timer, 0);
    } else {
      bool auto_tls_ticket_key = true;
-      if (!get_config()->tls_ticket_key_files.empty()) {
-        if (!get_config()->tls_ticket_key_cipher_given) {
+      if (!ticketconf.files.empty()) {
+        if (!ticketconf.cipher_given) {
          LOG(WARN)
              << "It is strongly recommended to specify "
                 "--tls-ticket-key-cipher=aes-128-cbc (or "
@ -446,8 +449,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
                 "becomes aes-256-cbc";
        }
        auto ticket_keys = read_tls_ticket_key_file(
-            get_config()->tls_ticket_key_files,
-            get_config()->tls_ticket_key_cipher, EVP_sha256());
+            ticketconf.files, ticketconf.cipher, EVP_sha256());
        if (!ticket_keys) {
          LOG(WARN) << "Use internal session ticket key generator";
        } else {
@ -512,7 +514,7 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
  ipcev.data = &conn_handler;
  ev_io_start(loop, &ipcev);

-  if (!get_config()->upstream_no_tls && !get_config()->no_ocsp) {
+  if (!get_config()->upstream_no_tls && !get_config()->tls.ocsp.disabled) {
    conn_handler.proceed_next_cert_ocsp();
  }