Add sni.yaml session ticket overrides#13006
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds per-SNI session ticket controls to ATS so sni.yaml can override global TLS session ticket enablement and TLSv1.3 ticket issuance count during inbound SNI handling (Fixes #12953).
Changes:
- Extend
sni.yamlparsing/schema and SNI action plumbing to supportssl_ticket_enabledandssl_ticket_number. - Apply overrides during TLS handshake (including after SSL_CTX selection) so they affect TLS 1.2 resumption and TLS 1.3 ticket issuance.
- Add/extend unit tests, gold test coverage, and update admin docs + sample config.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/gold_tests/tls/tls_sni_ticket.test.py | New AuTest coverage for enabling/disabling tickets and setting TLSv1.3 ticket count via sni.yaml. |
| src/iocore/net/unit_tests/test_YamlSNIConfig.cc | Unit test extended to validate parsing of the new keys. |
| src/iocore/net/unit_tests/test_SSLSNIConfig.cc | Unit test extended to validate action generation for a config including ticket overrides. |
| src/iocore/net/unit_tests/sni_conf_test.yaml | Test YAML updated with a tickets.com entry using the new keys. |
| src/iocore/net/YamlSNIConfig.cc | Adds key validation + parsing + action creation for ticket override fields. |
| src/iocore/net/TLSSNISupport.cc | Clears per-connection SNI “hints” when TLSSNISupport is cleared. |
| src/iocore/net/SSLUtils.cc | Adds helper(s) and applies SNI-derived ticket settings during cert callback / ctx setup. |
| src/iocore/net/SNIActionPerformer.h | Introduces new SNI action item types for ticket enable + ticket count overrides. |
| src/iocore/net/SNIActionPerformer.cc | Implements the new SNI actions and stores override hints for later application. |
| include/iocore/net/YamlSNIConfig.h | Adds key declarations and new optional fields to YamlSNIConfig::Item. |
| include/iocore/net/TLSSNISupport.h | Adds optional hint fields for ticket enable/count overrides. |
| doc/admin-guide/files/sni.yaml.en.rst | Documents ssl_ticket_enabled and ssl_ticket_number in sni.yaml. |
| configs/sni.yaml.default | Adds sample/commented entries for the new keys. |
Add ssl_ticket_enabled and ssl_ticket_number as sni.yaml overrides, apply them during SNI handling so they affect TLS 1.2 resumption and TLS 1.3 ticket issuance, and add unit and AuTest coverage plus docs and sample config updates. Fixes apache#12953
bneradt
force-pushed
the
ats-ticket-config-in-sni-yaml
branch
from
1c13a85 to
2e3687f
Compare
maskit
previously approved these changes
Mar 20, 2026
maskit
left a comment
maskit
left a comment
Member
There was a problem hiding this comment.
Looks good.
The limitation from BoringSSL is unfortunate but it can't be helped. It would be nice to print a warning message if the setting is used where BoringSSL is linked. It seems like the limitation is not noted on the documentation either (even for the one for records.yaml).
Contributor
Author
Good point! I pushed a commit updating the docs and the log. |
maskit
approved these changes
Mar 20, 2026
bneradt
added a commit
to bneradt/trafficserver
that referenced
this pull request
Mar 31, 2026
Add ssl_ticket_enabled and ssl_ticket_number as sni.yaml overrides, apply them during SNI handling so they affect TLS 1.2 resumption and TLS 1.3 ticket issuance, and add unit and AuTest coverage plus docs and sample config updates. Fixes apache#12953 (cherry picked from commit 8d75849)
Contributor
Author
|
10.2.x backport: |
Contributor
|
Added to milestone 10.2.0 via #13044 |
Contributor
Author
|
10.1.x backport: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add ssl_ticket_enabled and ssl_ticket_number as sni.yaml overrides, apply them during SNI handling so they affect TLS 1.2 resumption and TLS 1.3 ticket issuance, and add unit and AuTest coverage plus docs and sample config updates.
Fixes #12953