From 34399332354b5cbc742200ef11aa33f199ba6755 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Wed, 29 May 2019 23:11:46 -0600
Subject: Implement session ticket keys; default STEK module with rotation

---
 modules/caddytls/connpolicy.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'modules/caddytls/connpolicy.go')

diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 3241d3c..006afe9 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -133,9 +133,21 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy2.Context) error {
 		},
 		MinVersion: tls.VersionTLS12,
 		MaxVersion: tls.VersionTLS13,
-		// TODO: Session ticket key rotation (use Storage)
 	}
 
+	// session tickets support
+	cfg.SessionTicketsDisabled = tlsApp.SessionTickets.Disabled
+
+	// session ticket key rotation
+	tlsApp.SessionTickets.register(cfg)
+	ctx.OnCancel(func() {
+		// do cleanup when the context is cancelled because,
+		// though unlikely, it is possible that a context
+		// needing a TLS server config could exist for less
+		// than the lifetime of the whole app
+		tlsApp.SessionTickets.unregister(cfg)
+	})
+
 	// add all the cipher suites in order, without duplicates
 	cipherSuitesAdded := make(map[uint16]struct{})
 	for _, csName := range p.CipherSuites {
-- 
cgit v1.2.3