From ae233c2446cd31680dd53616ab8882427e861ebc Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 1 Jul 2010 03:09:56 +0200 Subject: Added option to turn on/off session tickets. --- NEWS | 3 ++- include/mod_gnutls.h.in | 3 +++ src/gnutls_config.c | 16 ++++++++++++++++ src/gnutls_hooks.c | 2 +- src/mod_gnutls.c | 4 ++++ 5 files changed, 26 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index d7bb44f..d5b68b6 100644 --- a/NEWS +++ b/NEWS @@ -8,7 +8,8 @@ - Added support for session tickets. This allows a server to avoid using a session cache and still support session resumption. This is at the cost of transporting - session data during handshake. + session data during handshake. New option + GnuTLSSessionTickets [on|off] - Depend on gnutls 2.10.0 to force support for safe renegotiation. diff --git a/include/mod_gnutls.h.in b/include/mod_gnutls.h.in index 40d0c40..5bb8514 100644 --- a/include/mod_gnutls.h.in +++ b/include/mod_gnutls.h.in @@ -109,6 +109,7 @@ typedef struct unsigned int ca_list_size; int client_verify_mode; apr_time_t last_cache_check; + int tickets; /* whether session tickets are allowed */ } mgs_srvconf_rec; typedef struct { @@ -280,6 +281,8 @@ const char *mgs_set_export_certificates_enabled(cmd_parms * parms, void *dummy, const char *arg); const char *mgs_set_priorities(cmd_parms * parms, void *dummy, const char *arg); +const char *mgs_set_tickets(cmd_parms * parms, void *dummy, + const char *arg); const char *mgs_set_require_section(cmd_parms *cmd, void *mconfig, const char *arg); diff --git a/src/gnutls_config.c b/src/gnutls_config.c index d75e785..ca26a2d 100644 --- a/src/gnutls_config.c +++ b/src/gnutls_config.c @@ -285,6 +285,22 @@ const char *mgs_set_pgpkey_file(cmd_parms * parms, void *dummy, return NULL; } +const char *mgs_set_tickets(cmd_parms * parms, void *dummy, + const char *arg) +{ + mgs_srvconf_rec *sc = + (mgs_srvconf_rec *) ap_get_module_config(parms->server-> + module_config, + &gnutls_module); + + sc->tickets = 0; + if (strcasecmp("on", arg) == 0) { + sc->tickets = 1; + } + + return NULL; +} + #ifdef ENABLE_SRP diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c index 2130cb0..032e6f3 100644 --- a/src/gnutls_hooks.c +++ b/src/gnutls_hooks.c @@ -673,7 +673,7 @@ static mgs_handle_t *create_gnutls_handle(apr_pool_t * pool, conn_rec * c) ctxt->output_length = 0; gnutls_init(&ctxt->session, GNUTLS_SERVER); - if (session_ticket_key.data != NULL) + if (session_ticket_key.data != NULL && ctxt->sc->tickets != 0) gnutls_session_ticket_enable_server(ctxt->session, &session_ticket_key); /* because we don't set any default priorities here (we set later at diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c index 08e7dba..c95d183 100644 --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c @@ -121,6 +121,10 @@ static const command_rec mgs_config_cmds[] = { NULL, RSRC_CONF, "Cache Configuration"), + AP_INIT_TAKE1("GnuTLSSessionTickets", mgs_set_tickets, + NULL, + RSRC_CONF, + "Session Tickets Configuration"), AP_INIT_RAW_ARGS("GnuTLSPriorities", mgs_set_priorities, NULL, RSRC_CONF, -- cgit