This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new e0b0d11 SSL: Introduce proxy.config.ssl.server.session_ticket.number
e0b0d11 is described below
commit e0b0d1127a1ed228f967cebd676d7750867e265f
Author: Valentin Gutierrez <vgutier...@wikimedia.org>
AuthorDate: Mon Feb 17 14:02:59 2020 +0000
SSL: Introduce proxy.config.ssl.server.session_ticket.number
proxy.config.ssl.server.session_ticket.number allows to control
the number of TLSv1.3 session tickets that are issued. The default
values of 2 is inherited from OpenSSL.
See https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_num_tickets.html
for more details
(cherry picked from commit e78ecef3fa7101ac3d6ea80a3c065e14ac56c38b)
---
doc/admin-guide/files/records.config.en.rst | 15 +++++++++++++++
iocore/net/P_SSLCertLookup.h | 2 ++
iocore/net/SSLUtils.cc | 11 +++++++++++
mgmt/RecordsConfig.cc | 2 ++
4 files changed, 30 insertions(+)
diff --git a/doc/admin-guide/files/records.config.en.rst
b/doc/admin-guide/files/records.config.en.rst
index edb8344..0ff8556 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3405,6 +3405,21 @@ SSL Termination
Set to 1 to enable Traffic Server to process TLS tickets for TLS session
resumption.
+.. ts:cv:: CONFIG proxy.config.ssl.server.session_ticket.number INT 2
+
+ This configuration control the number of TLSv1.3 session tickets that are
issued.
+ Take into account that setting the value to 0 will disable session caching
for TLSv1.3
+ connections.
+
+ Lowering this setting to ``1`` can be interesting when
``proxy.config.ssl.session_cache`` is enabled because
+ otherwise for every new TLSv1.3 connection two session IDs will be inserted
in the session cache.
+ On the other hand, if ``proxy.config.ssl.session_cache`` is disabled, using
the default value is recommended.
+ In those scenarios, increasing the number of tickets could be potentially
benefitial for clients performing
+ multiple requests over concurrent TLS connections as per RFC 8446 clients
SHOULDN'T reuse TLS Tickets.
+
+ For more information see
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_num_tickets.html
+ [Requires OpenSSL v1.1.1 and higher]
+
.. ts:cv:: CONFIG proxy.config.ssl.hsts_max_age INT -1
:overridable:
diff --git a/iocore/net/P_SSLCertLookup.h b/iocore/net/P_SSLCertLookup.h
index b36daf8..1e89361 100644
--- a/iocore/net/P_SSLCertLookup.h
+++ b/iocore/net/P_SSLCertLookup.h
@@ -46,9 +46,11 @@ struct SSLMultiCertConfigParams {
SSLMultiCertConfigParams() : opt(SSLCertContextOption::OPT_NONE)
{
REC_ReadConfigInt32(session_ticket_enabled,
"proxy.config.ssl.server.session_ticket.enable");
+ REC_ReadConfigInt32(session_ticket_number,
"proxy.config.ssl.server.session_ticket.number");
}
int session_ticket_enabled; ///< session ticket enabled
+ int session_ticket_number; ///< amount of session tickets to issue for
new TLSv1.3 connections
ats_scoped_str addr; ///< IPv[64] address to match
ats_scoped_str cert; ///< certificate
ats_scoped_str first_cert; ///< the first certificate name when multiple
cert files are in 'ssl_cert_name'
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 54cc5e8..95dc636 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -76,6 +76,7 @@ static constexpr std::string_view SSL_CA_TAG("ssl_ca_name"sv);
static constexpr std::string_view SSL_ACTION_TAG("action"sv);
static constexpr std::string_view SSL_ACTION_TUNNEL_TAG("tunnel"sv);
static constexpr std::string_view
SSL_SESSION_TICKET_ENABLED("ssl_ticket_enabled"sv);
+static constexpr std::string_view
SSL_SESSION_TICKET_NUMBER("ssl_ticket_number"sv);
static constexpr std::string_view SSL_KEY_DIALOG("ssl_key_dialog"sv);
static constexpr std::string_view SSL_SERVERNAME("dest_fqdn"sv);
static constexpr char SSL_CERT_SEPARATE_DELIM = ',';
@@ -1319,6 +1320,12 @@
SSLMultiCertConfigLoader::init_server_ssl_ctx(std::vector<X509 *> &cert_list, co
Debug("ssl", "ssl session ticket is disabled");
}
#endif
+#if defined(TLS1_3_VERSION) && !defined(LIBRESSL_VERSION_NUMBER) &&
!defined(OPENSSL_IS_BORINGSSL)
+ if (!(params->ssl_ctx_options & SSL_OP_NO_TLSv1_3)) {
+ SSL_CTX_set_num_tickets(ctx, sslMultCertSettings->session_ticket_number);
+ Debug("ssl", "ssl session ticket number set to %d",
sslMultCertSettings->session_ticket_number);
+ }
+#endif
}
if (params->clientCertLevel != 0) {
@@ -1557,6 +1564,10 @@ ssl_extract_certificate(const matcher_line *line_info,
SSLMultiCertConfigParams
sslMultCertSettings->session_ticket_enabled = atoi(value);
}
+ if (strcasecmp(label, SSL_SESSION_TICKET_NUMBER) == 0) {
+ sslMultCertSettings->session_ticket_number = atoi(value);
+ }
+
if (strcasecmp(label, SSL_KEY_DIALOG) == 0) {
sslMultCertSettings->dialog = ats_strdup(value);
}
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 82cdd70..5b29c4b 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1060,6 +1060,8 @@ static const RecordElement RecordsConfig[] =
//##############################################################################
{RECT_CONFIG, "proxy.config.ssl.server.session_ticket.enable", RECD_INT,
"1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.server.session_ticket.number", RECD_INT,
"2", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL},
+
{RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "0", RECU_RESTART_TS,
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "0", RECU_RESTART_TS,
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
