This is an automated email from the ASF dual-hosted git repository. vgutierrez pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new e78ecef SSL: Introduce proxy.config.ssl.server.session_ticket.number e78ecef is described below commit e78ecef3fa7101ac3d6ea80a3c065e14ac56c38b Author: Valentin Gutierrez <vgutier...@wikimedia.org> AuthorDate: Mon Feb 17 14:02:59 2020 +0000 SSL: Introduce proxy.config.ssl.server.session_ticket.number proxy.config.ssl.server.session_ticket.number allows to control the number of TLSv1.3 session tickets that are issued. The default values of 2 is inherited from OpenSSL. See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_num_tickets.html for more details --- doc/admin-guide/files/records.config.en.rst | 15 +++++++++++++++ iocore/net/P_SSLCertLookup.h | 2 ++ iocore/net/SSLUtils.cc | 11 +++++++++++ mgmt/RecordsConfig.cc | 2 ++ 4 files changed, 30 insertions(+) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 4467665..90b2e0d 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -3421,6 +3421,21 @@ SSL Termination Set to 1 to enable Traffic Server to process TLS tickets for TLS session resumption. +.. ts:cv:: CONFIG proxy.config.ssl.server.session_ticket.number INT 2 + + This configuration control the number of TLSv1.3 session tickets that are issued. + Take into account that setting the value to 0 will disable session caching for TLSv1.3 + connections. + + Lowering this setting to ``1`` can be interesting when ``proxy.config.ssl.session_cache`` is enabled because + otherwise for every new TLSv1.3 connection two session IDs will be inserted in the session cache. + On the other hand, if ``proxy.config.ssl.session_cache`` is disabled, using the default value is recommended. + In those scenarios, increasing the number of tickets could be potentially benefitial for clients performing + multiple requests over concurrent TLS connections as per RFC 8446 clients SHOULDN'T reuse TLS Tickets. + + For more information see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_num_tickets.html + [Requires OpenSSL v1.1.1 and higher] + .. ts:cv:: CONFIG proxy.config.ssl.hsts_max_age INT -1 :overridable: diff --git a/iocore/net/P_SSLCertLookup.h b/iocore/net/P_SSLCertLookup.h index 0adc8d6..7ee0f2a 100644 --- a/iocore/net/P_SSLCertLookup.h +++ b/iocore/net/P_SSLCertLookup.h @@ -46,9 +46,11 @@ struct SSLMultiCertConfigParams { SSLMultiCertConfigParams() : opt(SSLCertContextOption::OPT_NONE) { REC_ReadConfigInt32(session_ticket_enabled, "proxy.config.ssl.server.session_ticket.enable"); + REC_ReadConfigInt32(session_ticket_number, "proxy.config.ssl.server.session_ticket.number"); } int session_ticket_enabled; ///< session ticket enabled + int session_ticket_number; ///< amount of session tickets to issue for new TLSv1.3 connections ats_scoped_str addr; ///< IPv[64] address to match ats_scoped_str cert; ///< certificate ats_scoped_str first_cert; ///< the first certificate name when multiple cert files are in 'ssl_cert_name' diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 97ff0ff..2dbfb27 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -77,6 +77,7 @@ static constexpr std::string_view SSL_CA_TAG("ssl_ca_name"sv); static constexpr std::string_view SSL_ACTION_TAG("action"sv); static constexpr std::string_view SSL_ACTION_TUNNEL_TAG("tunnel"sv); static constexpr std::string_view SSL_SESSION_TICKET_ENABLED("ssl_ticket_enabled"sv); +static constexpr std::string_view SSL_SESSION_TICKET_NUMBER("ssl_ticket_number"sv); static constexpr std::string_view SSL_KEY_DIALOG("ssl_key_dialog"sv); static constexpr std::string_view SSL_SERVERNAME("dest_fqdn"sv); static constexpr char SSL_CERT_SEPARATE_DELIM = ','; @@ -1273,6 +1274,12 @@ SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS Debug("ssl", "ssl session ticket is disabled"); } #endif +#if defined(TLS1_3_VERSION) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) + if (!(params->ssl_ctx_options & SSL_OP_NO_TLSv1_3)) { + SSL_CTX_set_num_tickets(ctx, sslMultCertSettings->session_ticket_number); + Debug("ssl", "ssl session ticket number set to %d", sslMultCertSettings->session_ticket_number); + } +#endif } if (params->clientCertLevel != 0) { @@ -1544,6 +1551,10 @@ ssl_extract_certificate(const matcher_line *line_info, SSLMultiCertConfigParams sslMultCertSettings->session_ticket_enabled = atoi(value); } + if (strcasecmp(label, SSL_SESSION_TICKET_NUMBER) == 0) { + sslMultCertSettings->session_ticket_number = atoi(value); + } + if (strcasecmp(label, SSL_KEY_DIALOG) == 0) { sslMultCertSettings->dialog = ats_strdup(value); } diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 99d7a6c..b7c7fdc 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1060,6 +1060,8 @@ static const RecordElement RecordsConfig[] = //############################################################################## {RECT_CONFIG, "proxy.config.ssl.server.session_ticket.enable", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.server.session_ticket.number", RECD_INT, "2", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}, + {RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}