diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2019-02-27 16:31:59 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-02-27 16:31:59 +0100 |
commit | 5bba5de569fc115654f7d420491e906200d7e166 (patch) | |
tree | d25e3be89c11a791fe78cec0f5c6dbe046544f66 | |
parent | ae7f5d5d32235b3ba6aadbbd837210fd17872c58 (diff) | |
parent | e5c34db05cd7890db31c338eb48865cf6cbef6c6 (diff) |
Merge pull request #8632 from vespa-engine/vekterli/disable-tls-session-resumption
Explicitly disable OpenSSL TLS session resumption
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp | 6 | ||||
-rw-r--r-- | vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h | 1 |
2 files changed, 7 insertions, 0 deletions
diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp index fec11c9d18e..c87dc1d2148 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.cpp @@ -209,6 +209,7 @@ OpenSslTlsContextImpl::OpenSslTlsContextImpl( enable_ephemeral_key_exchange(); disable_compression(); disable_renegotiation(); + disable_session_resumption(); enforce_peer_certificate_verification(); set_ssl_ctx_self_reference(); if (!ts_opts.accepted_ciphers().empty()) { @@ -321,6 +322,11 @@ void OpenSslTlsContextImpl::disable_renegotiation() { #endif } +void OpenSslTlsContextImpl::disable_session_resumption() { + SSL_CTX_set_session_cache_mode(_ctx.get(), SSL_SESS_CACHE_OFF); + SSL_CTX_set_options(_ctx.get(), SSL_OP_NO_TICKET); +} + namespace { // There's no good reason for entries to contain embedded nulls, aside from diff --git a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h index c5444dc702e..31814dad8ba 100644 --- a/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h +++ b/vespalib/src/vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h @@ -41,6 +41,7 @@ private: // the connection if it's attempted by the peer), but this should signal // explicitly to the peer that it's not a supported action. void disable_renegotiation(); + void disable_session_resumption(); void enforce_peer_certificate_verification(); void set_ssl_ctx_self_reference(); void set_accepted_cipher_suites(const std::vector<vespalib::string>& ciphers); |