Olivier Doucet reported the issue on the ML and tested that when using
more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher
than expected.
Lukas Tribus then provided a test case which showed that resumption doesn't
work at all in that case.
This fix needs to be backported to 1.6.
Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
---
src/ssl_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1017388..994cdcc 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5406,8 +5406,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
fclose(f);
/* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
- i-=2;
- keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
+ i -= 2;
+ keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i % TLS_TICKETS_NO;
keys_ref->unique_id = -1;
conf->keys_ref = keys_ref;
--
2.7.0
more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher
than expected.
Lukas Tribus then provided a test case which showed that resumption doesn't
work at all in that case.
This fix needs to be backported to 1.6.
Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
---
src/ssl_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1017388..994cdcc 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5406,8 +5406,8 @@ static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px
fclose(f);
/* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
- i-=2;
- keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i;
+ i -= 2;
+ keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i % TLS_TICKETS_NO;
keys_ref->unique_id = -1;
conf->keys_ref = keys_ref;
--
2.7.0
