You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@trafficserver.apache.org by ma...@apache.org on 2019/02/21 22:59:15 UTC

[trafficserver] branch master updated: Cleanup: Set SSL_OP_NO_TICKET in SSLInitServerContext()

This is an automated email from the ASF dual-hosted git repository.

masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 837250c  Cleanup: Set SSL_OP_NO_TICKET in SSLInitServerContext()
837250c is described below

commit 837250cc6af9be61c1b5b495dd40aa08aa341067
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Thu Feb 21 11:58:32 2019 +0900

    Cleanup: Set SSL_OP_NO_TICKET in SSLInitServerContext()
---
 iocore/net/SSLUtils.cc | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 305317a..111ec1b 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1872,7 +1872,16 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
         goto fail;
       }
     }
+
+#if defined(SSL_OP_NO_TICKET)
+    // Session tickets are enabled by default. Disable if explicitly requested.
+    if (sslMultCertSettings->session_ticket_enabled == 0) {
+      SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+      Debug("ssl", "ssl session ticket is disabled");
+    }
+#endif
   }
+
   if (params->clientCertLevel != 0) {
     if (params->serverCACertFilename != nullptr && params->serverCACertPath != nullptr) {
       if ((!SSL_CTX_load_verify_locations(ctx, params->serverCACertFilename, params->serverCACertPath)) ||
@@ -2030,6 +2039,10 @@ SSLCreateServerContext(const SSLConfigParams *params)
   return ctx;
 }
 
+/**
+   Insert SSLCertContext (SSL_CTX ans options) into SSLCertLookup with key.
+   Do NOT call SSL_CTX_set_* functions from here. SSL_CTX should be set up by SSLInitServerContext().
+ */
 static SSL_CTX *
 ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, const ssl_user_config *sslMultCertSettings)
 {
@@ -2088,14 +2101,6 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, cons
 #endif
   }
 
-#if defined(SSL_OP_NO_TICKET)
-  // Session tickets are enabled by default. Disable if explicitly requested.
-  if (sslMultCertSettings->session_ticket_enabled == 0) {
-    SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
-    Debug("ssl", "ssl session ticket is disabled");
-  }
-#endif
-
 #ifdef TS_USE_TLS_OCSP
   if (SSLConfigParams::ssl_ocsp_enabled) {
     Debug("ssl", "SSL OCSP Stapling is enabled");