You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2019/02/21 22:59:15 UTC
[trafficserver] branch master updated: Cleanup: Set
SSL_OP_NO_TICKET in SSLInitServerContext()
This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 837250c Cleanup: Set SSL_OP_NO_TICKET in SSLInitServerContext()
837250c is described below
commit 837250cc6af9be61c1b5b495dd40aa08aa341067
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Thu Feb 21 11:58:32 2019 +0900
Cleanup: Set SSL_OP_NO_TICKET in SSLInitServerContext()
---
iocore/net/SSLUtils.cc | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 305317a..111ec1b 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1872,7 +1872,16 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
goto fail;
}
}
+
+#if defined(SSL_OP_NO_TICKET)
+ // Session tickets are enabled by default. Disable if explicitly requested.
+ if (sslMultCertSettings->session_ticket_enabled == 0) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
+ Debug("ssl", "ssl session ticket is disabled");
+ }
+#endif
}
+
if (params->clientCertLevel != 0) {
if (params->serverCACertFilename != nullptr && params->serverCACertPath != nullptr) {
if ((!SSL_CTX_load_verify_locations(ctx, params->serverCACertFilename, params->serverCACertPath)) ||
@@ -2030,6 +2039,10 @@ SSLCreateServerContext(const SSLConfigParams *params)
return ctx;
}
+/**
+ Insert SSLCertContext (SSL_CTX ans options) into SSLCertLookup with key.
+ Do NOT call SSL_CTX_set_* functions from here. SSL_CTX should be set up by SSLInitServerContext().
+ */
static SSL_CTX *
ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, const ssl_user_config *sslMultCertSettings)
{
@@ -2088,14 +2101,6 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, cons
#endif
}
-#if defined(SSL_OP_NO_TICKET)
- // Session tickets are enabled by default. Disable if explicitly requested.
- if (sslMultCertSettings->session_ticket_enabled == 0) {
- SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
- Debug("ssl", "ssl session ticket is disabled");
- }
-#endif
-
#ifdef TS_USE_TLS_OCSP
if (SSLConfigParams::ssl_ocsp_enabled) {
Debug("ssl", "SSL OCSP Stapling is enabled");