bneradt commented on code in PR #13006:
URL: https://github.com/apache/trafficserver/pull/13006#discussion_r2967518696
##########
src/iocore/net/SSLUtils.cc:
##########
@@ -493,6 +491,69 @@ ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX
*ctx)
return ctx;
}
+#if TS_HAS_TLS_SESSION_TICKET
+static bool
+ssl_context_enable_ticket_callback(SSL_CTX *ctx)
+{
+#ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
+ if (SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket)
== 0) {
+#else
+ if (SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_callback_session_ticket) == 0)
{
+#endif
+ Error("failed to set session ticket callback");
+ return false;
+ }
+ return true;
+}
+
+static bool
+ssl_apply_sni_session_ticket_properties(SSL *ssl)
+{
+ auto snis = TLSSNISupport::getInstance(ssl);
+ if (snis == nullptr) {
+ return true;
+ }
+
+ auto const &hints = snis->hints_from_sni;
+ if (!hints.ssl_ticket_enabled.has_value() &&
!hints.ssl_ticket_number.has_value()) {
+ return true;
+ }
+
+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+ if (ctx == nullptr) {
+ return false;
+ }
+
+ if (hints.ssl_ticket_enabled.has_value()) {
+ if (hints.ssl_ticket_enabled.value() != 0) {
+ if (!ssl_context_enable_ticket_callback(ctx)) {
+ return false;
+ }
Review Comment:
Agreed on the earlier concern, and the patch has since been simplified in
that direction. ssl_apply_sni_session_ticket_properties() no longer calls
ssl_context_enable_ticket_callback() or mutates SSL_CTX during
ssl_cert_callback(). The ticket callback is still installed during context
initialization, and the handshake-time logic now only adjusts per-connection
SSL * state for the SNI override.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
