OpenSSL: Add mechanism for disabling TLS Session Ticket extension

This can be used to implement workaround for authentication servers that do not handle TLS extensions in ClientHello properly. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:18:54 +03:00 · 2012-08-17 22:18:54 +03:00 · e866f39fbe
parent 6409b7a715
commit e866f39fbe
2 changed files with 15 additions and 0 deletions
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@ -81,6 +81,7 @@ struct tls_config {

 #define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
 #define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
+#define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)

 /**
 * struct tls_connection_params - Parameters for TLS connection
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -2774,6 +2774,13 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		return -1;
 	}

+#ifdef SSL_OP_NO_TICKET
+	if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
+		SSL_set_options(conn->ssl, SSL_OP_NO_TICKET);
+	else
+		SSL_clear_options(conn->ssl, SSL_OP_NO_TICKET);
+#endif /*  SSL_OP_NO_TICKET */
+
 	conn->flags = params->flags;

 	tls_get_errors(tls_ctx);
@ -2809,6 +2816,13 @@ int tls_global_set_params(void *tls_ctx,
 		return -1;
 	}

+#ifdef SSL_OP_NO_TICKET
+	if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
+		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
+	else
+		SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TICKET);
+#endif /*  SSL_OP_NO_TICKET */
+
 	return 0;
 }