dovecot-2.2: ssl_options: Added support for no_ticket
dovecot at dovecot.org
dovecot at dovecot.org
Wed Oct 21 10:33:07 UTC 2015
details: http://hg.dovecot.org/dovecot-2.2/rev/098de79b89c8
changeset: 19326:098de79b89c8
user: Timo Sirainen <tss at iki.fi>
date: Wed Oct 21 13:32:58 2015 +0300
description:
ssl_options: Added support for no_ticket
diffstat:
src/lib-master/master-service-ssl-settings.c | 3 +++
src/lib-master/master-service-ssl-settings.h | 1 +
src/lib-ssl-iostream/iostream-openssl-context.c | 4 ++++
src/lib-ssl-iostream/iostream-ssl.h | 1 +
src/login-common/ssl-proxy-openssl.c | 7 +++++++
5 files changed, 16 insertions(+), 0 deletions(-)
diffs (94 lines):
diff -r 0c2f8cb41fea -r 098de79b89c8 src/lib-master/master-service-ssl-settings.c
--- a/src/lib-master/master-service-ssl-settings.c Tue Oct 20 21:23:03 2015 +0300
+++ b/src/lib-master/master-service-ssl-settings.c Wed Oct 21 13:32:58 2015 +0300
@@ -104,6 +104,7 @@
/* Now explode the ssl_options string into individual flags */
/* First set them all to defaults */
set->parsed_opts.compression = TRUE;
+ set->parsed_opts.tickets = TRUE;
/* Then modify anything specified in the string */
const char **opts = t_strsplit_spaces(set->ssl_options, ", ");
@@ -111,6 +112,8 @@
while ((opt = *opts++) != NULL) {
if (strcasecmp(opt, "no_compression") == 0) {
set->parsed_opts.compression = FALSE;
+ } else if (strcasecmp(opt, "no_ticket") == 0) {
+ set->parsed_opts.tickets = FALSE;
} else {
*error_r = t_strdup_printf("ssl_options: unknown flag: '%s'",
opt);
diff -r 0c2f8cb41fea -r 098de79b89c8 src/lib-master/master-service-ssl-settings.h
--- a/src/lib-master/master-service-ssl-settings.h Tue Oct 20 21:23:03 2015 +0300
+++ b/src/lib-master/master-service-ssl-settings.h Wed Oct 21 13:32:58 2015 +0300
@@ -23,6 +23,7 @@
/* These are derived from ssl_options, not set directly */
struct {
bool compression;
+ bool tickets;
} parsed_opts;
};
diff -r 0c2f8cb41fea -r 098de79b89c8 src/lib-ssl-iostream/iostream-openssl-context.c
--- a/src/lib-ssl-iostream/iostream-openssl-context.c Tue Oct 20 21:23:03 2015 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c Wed Oct 21 13:32:58 2015 +0300
@@ -510,6 +510,10 @@
if (!set->compression)
ssl_ops |= SSL_OP_NO_COMPRESSION;
#endif
+#ifdef SSL_OP_NO_TICKET
+ if (!set->tickets)
+ ssl_ops |= SSL_OP_NO_TICKET;
+#endif
SSL_CTX_set_options(ctx->ssl_ctx, ssl_ops);
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
diff -r 0c2f8cb41fea -r 098de79b89c8 src/lib-ssl-iostream/iostream-ssl.h
--- a/src/lib-ssl-iostream/iostream-ssl.h Tue Oct 20 21:23:03 2015 +0300
+++ b/src/lib-ssl-iostream/iostream-ssl.h Wed Oct 21 13:32:58 2015 +0300
@@ -19,6 +19,7 @@
bool require_valid_cert; /* stream-only */
bool prefer_server_ciphers;
bool compression;
+ bool tickets;
};
/* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
diff -r 0c2f8cb41fea -r 098de79b89c8 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Tue Oct 20 21:23:03 2015 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Wed Oct 21 13:32:58 2015 +0300
@@ -103,6 +103,7 @@
bool verify_client_cert;
bool prefer_server_ciphers;
bool compression;
+ bool tickets;
};
static int extdata_index;
@@ -649,6 +650,7 @@
login_set->auth_ssl_username_from_cert;
lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
lookup_ctx.compression = set->parsed_opts.compression;
+ lookup_ctx.tickets = set->parsed_opts.tickets;
ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
if (ctx == NULL)
@@ -1029,6 +1031,10 @@
if (!set->parsed_opts.compression)
ssl_ops |= SSL_OP_NO_COMPRESSION;
#endif
+#ifdef SSL_OP_NO_TICKET
+ if (!set->parsed_opts.tickets)
+ ssl_ops |= SSL_OP_NO_TICKET;
+#endif
SSL_CTX_set_options(ssl_ctx, ssl_ops);
#ifdef SSL_MODE_RELEASE_BUFFERS
@@ -1301,6 +1307,7 @@
login_set->auth_ssl_username_from_cert;
ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
ctx->compression = ssl_set->parsed_opts.compression;
+ ctx->tickets = ssl_set->parsed_opts.tickets;
ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
if (ssl_ctx == NULL)
More information about the dovecot-cvs
mailing list