Introduce ticket support. To enable them it is enough to set a positive

lifetime with tls_config_set_session_lifetime(). This enables tickets
and uses an internal automatic rekeying mode for the ticket keys.

If multiple processes are involved the following functions can be used to make
tickets work accross all instances:
- tls_config_set_session_id() sets the session identifier
- tls_config_add_ticket_key() adds an encryption and authentication key

For now only the last 4 keys added will be used (unless they are too old).
If tls_config_add_ticket_key() is used the caller must ensure to add new keys
regularly. It is best to do this 4 times per session lifetime (which is also
the ticket key lifetime).

Since tickets break PFS it is best to minimize the session lifetime according
to needs.

With a lot of help, input and OK beck@, jsing@

1 files changed, 3 insertions, 0 deletions

diff --git a/src/lib/libtls/Symbols.list b/src/lib/libtls/Symbols.list
index 7ed1d58bdc..a033e3e242 100644
--- a/src/lib/libtls/Symbols.list
+++ b/src/lib/libtls/Symbols.list
@@ -5,6 +5,7 @@ tls_client
 tls_close
 tls_config_add_keypair_file
 tls_config_add_keypair_mem
+tls_config_add_ticket_key
 tls_config_clear_keys
 tls_config_error
 tls_config_free
@@ -32,6 +33,8 @@ tls_config_set_keypair_mem
 tls_config_set_ocsp_staple_mem
 tls_config_set_ocsp_staple_file
 tls_config_set_protocols
+tls_config_set_session_id
+tls_config_set_session_lifetime
 tls_config_set_verify_depth
 tls_config_verify
 tls_config_verify_client