dovecot-2.2: ssl_options: Added support for no_ticket

dovecot at dovecot.org dovecot at dovecot.org
Wed Oct 21 10:33:07 UTC 2015 

details:   http://hg.dovecot.org/dovecot-2.2/rev/098de79b89c8
changeset: 19326:098de79b89c8
user:      Timo Sirainen <tss at iki.fi>
date:      Wed Oct 21 13:32:58 2015 +0300
description:
ssl_options: Added support for no_ticket

diffstat:

 src/lib-master/master-service-ssl-settings.c    |  3 +++
 src/lib-master/master-service-ssl-settings.h    |  1 +
 src/lib-ssl-iostream/iostream-openssl-context.c |  4 ++++
 src/lib-ssl-iostream/iostream-ssl.h             |  1 +
 src/login-common/ssl-proxy-openssl.c            |  7 +++++++
 5 files changed, 16 insertions(+), 0 deletions(-)

diffs (94 lines):

diff -r 0c2f8cb41fea -r 098de79b89c8 src/lib-master/master-service-ssl-settings.c
--- a/src/lib-master/master-service-ssl-settings.c	Tue Oct 20 21:23:03 2015 +0300
+++ b/src/lib-master/master-service-ssl-settings.c	Wed Oct 21 13:32:58 2015 +0300
@@ -104,6 +104,7 @@
 	/* Now explode the ssl_options string into individual flags */
 	/* First set them all to defaults */
 	set->parsed_opts.compression = TRUE;
+	set->parsed_opts.tickets = TRUE;
 
 	/* Then modify anything specified in the string */
 	const char **opts = t_strsplit_spaces(set->ssl_options, ", ");
@@ -111,6 +112,8 @@
 	while ((opt = *opts++) != NULL) {
 		if (strcasecmp(opt, "no_compression") == 0) {
 			set->parsed_opts.compression = FALSE;
+		} else if (strcasecmp(opt, "no_ticket") == 0) {
+			set->parsed_opts.tickets = FALSE;
 		} else {
 			*error_r = t_strdup_printf("ssl_options: unknown flag: '%s'",
 						   opt);
diff -r 0c2f8cb41fea -r 098de79b89c8 src/lib-master/master-service-ssl-settings.h
--- a/src/lib-master/master-service-ssl-settings.h	Tue Oct 20 21:23:03 2015 +0300
+++ b/src/lib-master/master-service-ssl-settings.h	Wed Oct 21 13:32:58 2015 +0300
@@ -23,6 +23,7 @@
 	/* These are derived from ssl_options, not set directly */
 	struct {
 		bool compression;
+		bool tickets;
 	} parsed_opts;
 };
 
diff -r 0c2f8cb41fea -r 098de79b89c8 src/lib-ssl-iostream/iostream-openssl-context.c
--- a/src/lib-ssl-iostream/iostream-openssl-context.c	Tue Oct 20 21:23:03 2015 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c	Wed Oct 21 13:32:58 2015 +0300
@@ -510,6 +510,10 @@
 	if (!set->compression)
 		ssl_ops |= SSL_OP_NO_COMPRESSION;
 #endif
+#ifdef SSL_OP_NO_TICKET
+	if (!set->tickets)
+		ssl_ops |= SSL_OP_NO_TICKET;
+#endif
 	SSL_CTX_set_options(ctx->ssl_ctx, ssl_ops);
 #ifdef SSL_MODE_RELEASE_BUFFERS
 	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
diff -r 0c2f8cb41fea -r 098de79b89c8 src/lib-ssl-iostream/iostream-ssl.h
--- a/src/lib-ssl-iostream/iostream-ssl.h	Tue Oct 20 21:23:03 2015 +0300
+++ b/src/lib-ssl-iostream/iostream-ssl.h	Wed Oct 21 13:32:58 2015 +0300
@@ -19,6 +19,7 @@
 	bool require_valid_cert; /* stream-only */
 	bool prefer_server_ciphers;
 	bool compression;
+	bool tickets;
 };
 
 /* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
diff -r 0c2f8cb41fea -r 098de79b89c8 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Tue Oct 20 21:23:03 2015 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Wed Oct 21 13:32:58 2015 +0300
@@ -103,6 +103,7 @@
 	bool verify_client_cert;
 	bool prefer_server_ciphers;
 	bool compression;
+	bool tickets;
 };
 
 static int extdata_index;
@@ -649,6 +650,7 @@
 		login_set->auth_ssl_username_from_cert;
 	lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
 	lookup_ctx.compression = set->parsed_opts.compression;
+	lookup_ctx.tickets = set->parsed_opts.tickets;
 
 	ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
 	if (ctx == NULL)
@@ -1029,6 +1031,10 @@
 	if (!set->parsed_opts.compression)
 		ssl_ops |= SSL_OP_NO_COMPRESSION;
 #endif
+#ifdef SSL_OP_NO_TICKET
+	if (!set->parsed_opts.tickets)
+		ssl_ops |= SSL_OP_NO_TICKET;
+#endif
 	SSL_CTX_set_options(ssl_ctx, ssl_ops);
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
@@ -1301,6 +1307,7 @@
 		login_set->auth_ssl_username_from_cert;
 	ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
 	ctx->compression = ssl_set->parsed_opts.compression;
+	ctx->tickets = ssl_set->parsed_opts.tickets;
 
 	ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 	if (ssl_ctx == NULL)

More information about the dovecot-cvs mailing list