Mercurial > dovecot > core-2.2
changeset 19326:098de79b89c8
ssl_options: Added support for no_ticket
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 21 Oct 2015 13:32:58 +0300 |
parents | 0c2f8cb41fea |
children | a98aaaf55b13 |
files | src/lib-master/master-service-ssl-settings.c src/lib-master/master-service-ssl-settings.h src/lib-ssl-iostream/iostream-openssl-context.c src/lib-ssl-iostream/iostream-ssl.h src/login-common/ssl-proxy-openssl.c |
diffstat | 5 files changed, 16 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-master/master-service-ssl-settings.c Tue Oct 20 21:23:03 2015 +0300 +++ b/src/lib-master/master-service-ssl-settings.c Wed Oct 21 13:32:58 2015 +0300 @@ -104,6 +104,7 @@ /* Now explode the ssl_options string into individual flags */ /* First set them all to defaults */ set->parsed_opts.compression = TRUE; + set->parsed_opts.tickets = TRUE; /* Then modify anything specified in the string */ const char **opts = t_strsplit_spaces(set->ssl_options, ", "); @@ -111,6 +112,8 @@ while ((opt = *opts++) != NULL) { if (strcasecmp(opt, "no_compression") == 0) { set->parsed_opts.compression = FALSE; + } else if (strcasecmp(opt, "no_ticket") == 0) { + set->parsed_opts.tickets = FALSE; } else { *error_r = t_strdup_printf("ssl_options: unknown flag: '%s'", opt);
--- a/src/lib-master/master-service-ssl-settings.h Tue Oct 20 21:23:03 2015 +0300 +++ b/src/lib-master/master-service-ssl-settings.h Wed Oct 21 13:32:58 2015 +0300 @@ -23,6 +23,7 @@ /* These are derived from ssl_options, not set directly */ struct { bool compression; + bool tickets; } parsed_opts; };
--- a/src/lib-ssl-iostream/iostream-openssl-context.c Tue Oct 20 21:23:03 2015 +0300 +++ b/src/lib-ssl-iostream/iostream-openssl-context.c Wed Oct 21 13:32:58 2015 +0300 @@ -510,6 +510,10 @@ if (!set->compression) ssl_ops |= SSL_OP_NO_COMPRESSION; #endif +#ifdef SSL_OP_NO_TICKET + if (!set->tickets) + ssl_ops |= SSL_OP_NO_TICKET; +#endif SSL_CTX_set_options(ctx->ssl_ctx, ssl_ops); #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
--- a/src/lib-ssl-iostream/iostream-ssl.h Tue Oct 20 21:23:03 2015 +0300 +++ b/src/lib-ssl-iostream/iostream-ssl.h Wed Oct 21 13:32:58 2015 +0300 @@ -19,6 +19,7 @@ bool require_valid_cert; /* stream-only */ bool prefer_server_ciphers; bool compression; + bool tickets; }; /* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
--- a/src/login-common/ssl-proxy-openssl.c Tue Oct 20 21:23:03 2015 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Wed Oct 21 13:32:58 2015 +0300 @@ -103,6 +103,7 @@ bool verify_client_cert; bool prefer_server_ciphers; bool compression; + bool tickets; }; static int extdata_index; @@ -649,6 +650,7 @@ login_set->auth_ssl_username_from_cert; lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers; lookup_ctx.compression = set->parsed_opts.compression; + lookup_ctx.tickets = set->parsed_opts.tickets; ctx = hash_table_lookup(ssl_servers, &lookup_ctx); if (ctx == NULL) @@ -1029,6 +1031,10 @@ if (!set->parsed_opts.compression) ssl_ops |= SSL_OP_NO_COMPRESSION; #endif +#ifdef SSL_OP_NO_TICKET + if (!set->parsed_opts.tickets) + ssl_ops |= SSL_OP_NO_TICKET; +#endif SSL_CTX_set_options(ssl_ctx, ssl_ops); #ifdef SSL_MODE_RELEASE_BUFFERS @@ -1301,6 +1307,7 @@ login_set->auth_ssl_username_from_cert; ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers; ctx->compression = ssl_set->parsed_opts.compression; + ctx->tickets = ssl_set->parsed_opts.tickets; ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method()); if (ssl_ctx == NULL)