dnsdist: add ticketLifetime setting for TLS ticket lifetime

PowerDNS · Mar 2, 2020 · 327953b · 327953b
1 parent 56f36e0
commit 327953b
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc
@@ -175,6 +175,12 @@ static void parseTLSConfig(TLSConfig& config, const std::string& context, boost:
     config.d_ticketsKeyRotationDelay = boost::get<int>((*vars)["ticketsKeysRotationDelay"]);
   }
 
+  if (vars->count("ticketLifetime")) {
+    config.d_ticketLifetime = boost::get<int>((*vars)["ticketLifetime"]);
+  } else if (vars->count("ticketsKeysRotationDelay") && boost::get<int>((*vars)["ticketsKeysRotationDelay"]) > 0) {
+    config.d_ticketLifetime = boost::get<int>((*vars)["ticketsKeysRotationDelay"]);
+  }
+
   if (vars->count("numberOfTicketsKeys")) {
     config.d_numberOfTicketsKeys = boost::get<int>((*vars)["numberOfTicketsKeys"]);
   }

diff --git a/pdns/dnsdistdist/libssl.cc b/pdns/dnsdistdist/libssl.cc
@@ -662,6 +662,10 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
 #endif /* HAVE_SSL_CTX_SET_NUM_TICKETS */
   }
 
+  if (config.d_ticketLifetime != 0) {
+    SSL_CTX_set_timeout(ctx.get(), config.d_ticketLifetime);
+  }
+
   if (config.d_preferServerCiphers) {
     sslOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
   }

diff --git a/pdns/libssl.hh b/pdns/libssl.hh
@@ -26,6 +26,7 @@ public:
   size_t d_maxStoredSessions{20480};
   time_t d_ticketsKeyRotationDelay{43200};
   uint8_t d_numberOfTicketsKeys{5};
+  time_t d_ticketLifetime{43200};
   LibsslTLSVersion d_minTLSVersion{LibsslTLSVersion::TLS10};
 
   bool d_preferServerCiphers{true};