.. versionadded:: 1.3.0
.. versionchanged:: 1.3.1
``certFile(s)`` and ``keyFile(s)`` parameters accept a list of files.
+ ``disableTickets`` option added.
Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate.
* ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5.
* ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
* ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h).
+ * ``dibaleTickets``: bool - Disable the use of session resumption via session tickets. Default is false, meaning tickets are enabled.
.. function:: setLocal(address[, options])
{
d_ticketsKeyRotationDelay = fe.d_ticketsKeyRotationDelay;
- static const int sslOptions =
+ int sslOptions =
SSL_OP_NO_SSLv2 |
SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_SINGLE_ECDH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE;
+ if (fe.d_disableTickets) {
+ sslOptions |= SSL_OP_NO_TICKET;
+ }
+
if (s_users.fetch_add(1) == 0) {
ERR_load_crypto_strings();
OpenSSL_add_ssl_algorithms();
{
public:
- GnuTLSConnection(int socket, unsigned int timeout, const gnutls_certificate_credentials_t creds, const gnutls_priority_t priorityCache, std::shared_ptr<GnuTLSTicketsKey>& ticketsKey): d_ticketsKey(ticketsKey)
+ GnuTLSConnection(int socket, unsigned int timeout, const gnutls_certificate_credentials_t creds, const gnutls_priority_t priorityCache, std::shared_ptr<GnuTLSTicketsKey>& ticketsKey, bool disableTickets): d_ticketsKey(ticketsKey)
{
- d_socket = socket;
-
- if (gnutls_init(&d_conn, GNUTLS_SERVER
+ unsigned int sslOptions = GNUTLS_SERVER;
#ifdef GNUTLS_NO_SIGNAL
- | GNUTLS_NO_SIGNAL
+ sslOptions |= GNUTLS_NO_SIGNAL;
#endif
- ) != GNUTLS_E_SUCCESS) {
+
+ d_socket = socket;
+
+ if (gnutls_init(&d_conn, sslOptions) != GNUTLS_E_SUCCESS) {
throw std::runtime_error("Error creating TLS connection");
}
throw std::runtime_error("Error setting ciphers to TLS connection");
}
- if (d_ticketsKey) {
+ if (!disableTickets && d_ticketsKey) {
const gnutls_datum_t& key = d_ticketsKey->getKey();
if (gnutls_session_ticket_enable_server(d_conn, &key) != GNUTLS_E_SUCCESS) {
gnutls_deinit(d_conn);
class GnuTLSIOCtx: public TLSCtx
{
public:
- GnuTLSIOCtx(const TLSFrontend& fe)
+ GnuTLSIOCtx(const TLSFrontend& fe): d_disableTickets(fe.d_disableTickets)
{
int rc = 0;
d_ticketsKeyRotationDelay = fe.d_ticketsKeyRotationDelay;
{
handleTicketsKeyRotation(now);
- return std::unique_ptr<GnuTLSConnection>(new GnuTLSConnection(socket, timeout, d_creds, d_priorityCache, d_ticketsKey));
+ return std::unique_ptr<GnuTLSConnection>(new GnuTLSConnection(socket, timeout, d_creds, d_priorityCache, d_ticketsKey, d_disableTickets));
}
void rotateTicketsKey(time_t now) override
{
+ if (d_disableTickets) {
+ return;
+ }
+
auto newKey = std::make_shared<GnuTLSTicketsKey>();
d_ticketsKey = newKey;
if (d_ticketsKeyRotationDelay > 0) {
void loadTicketsKeys(const std::string& file) override
{
+ if (d_disableTickets) {
+ return;
+ }
+
auto newKey = std::make_shared<GnuTLSTicketsKey>(file);
d_ticketsKey = newKey;
if (d_ticketsKeyRotationDelay > 0) {
gnutls_certificate_credentials_t d_creds{nullptr};
gnutls_priority_t d_priorityCache{nullptr};
std::shared_ptr<GnuTLSTicketsKey> d_ticketsKey{nullptr};
+ bool d_disableTickets{false};
};
#endif /* HAVE_GNUTLS */