diff options
author | claudio <claudio@openbsd.org> | 2017-03-25 17:25:34 +0000 |
---|---|---|
committer | claudio <claudio@openbsd.org> | 2017-03-25 17:25:34 +0000 |
commit | fe006a116d1775efa666fe8afddc5dc84efc24f2 (patch) | |
tree | 2b6dfe5c61eeeefa0636e444b71eedbb97ad997b /usr.sbin/httpd/parse.y | |
parent | OpenSSL documented the public function BIO_printf(3) (and friends) (diff) | |
download | wireguard-openbsd-fe006a116d1775efa666fe8afddc5dc84efc24f2.tar.xz wireguard-openbsd-fe006a116d1775efa666fe8afddc5dc84efc24f2.zip |
Implement TLS ticket support in httpd. Off by default. Use
tls ticket lifetime default
to turn it on with a 2h ticket lifetime.
Rekeying happens after a quarter of that time.
OK reky@ and bob@
Diffstat (limited to 'usr.sbin/httpd/parse.y')
-rw-r--r-- | usr.sbin/httpd/parse.y | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index f53cfff67bf..41964765f0f 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.89 2017/02/07 12:27:42 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.90 2017/03/25 17:25:34 claudio Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -130,10 +130,10 @@ typedef struct { %} %token ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON -%token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN -%token LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY OCSP ON PORT PREFORK -%token PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT -%token TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST +%token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LIFETIME +%token LISTEN LOCATION LOG LOGDIR MATCH MAXIMUM NO NODELAY OCSP ON PORT PREFORK +%token PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TICKET +%token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS %token <v.string> STRING %token <v.number> NUMBER @@ -766,6 +766,23 @@ tlsopts : CERTIFICATE STRING { } free($2); } + | TICKET LIFETIME DEFAULT { + srv_conf->tls_ticket_lifetime = SERVER_DEF_TLS_LIFETIME; + } + | TICKET LIFETIME NUMBER { + if ($3 != 0 && $3 < SERVER_MIN_TLS_LIFETIME) { + yyerror("ticket lifetime too small"); + YYERROR; + } + if ($3 > SERVER_MAX_TLS_LIFETIME) { + yyerror("ticket lifetime too large"); + YYERROR; + } + srv_conf->tls_ticket_lifetime = $3; + } + | NO TICKET { + srv_conf->tls_ticket_lifetime = 0; + } ; root : ROOT rootflags @@ -1218,6 +1235,7 @@ lookup(char *s) { "index", INDEX }, { "ip", IP }, { "key", KEY }, + { "lifetime", LIFETIME }, { "listen", LISTEN }, { "location", LOCATION }, { "log", LOG }, @@ -1246,6 +1264,7 @@ lookup(char *s) { "subdomains", SUBDOMAINS }, { "syslog", SYSLOG }, { "tcp", TCP }, + { "ticket", TICKET }, { "timeout", TIMEOUT }, { "tls", TLS }, { "type", TYPE }, |