From f0ef019da28a7b8ad81f65c2fbd2fcc9c88e5c52 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 27 Mar 2014 15:51:25 +0000
Subject: [PATCH] Add -no_resumption_on_reneg to SSL_CONF. (cherry picked from
 commit 1f44dac24d1cb752b1a06be9091bb03a88a8598e)

---
 apps/s_server.c          | 7 -------
 doc/ssl/SSL_CONF_cmd.pod | 7 +++++++
 ssl/ssl_conf.c           | 2 ++
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index f757f3caa1..eb3c866963 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1058,7 +1058,6 @@ int MAIN(int argc, char *argv[])
 	EVP_PKEY *s_key = NULL, *s_dkey = NULL;
 	int no_cache = 0, ext_cache = 0;
 	int rev = 0, naccept = -1;
-	int c_no_resumption_on_reneg = 0;
 #ifndef OPENSSL_NO_TLSEXT
 	EVP_PKEY *s_key2 = NULL;
 	X509 *s_cert2 = NULL;
@@ -1183,10 +1182,6 @@ int MAIN(int argc, char *argv[])
 			c_auth = 1;
 			}
 #endif
-		else if (strcmp(*argv, "-no_resumption_on_reneg") == 0)
-			{
-			c_no_resumption_on_reneg = 1;
-			}
 		else if	(strcmp(*argv,"-auth_require_reneg") == 0)
 			{
 			c_auth_require_reneg = 1;
@@ -1963,8 +1958,6 @@ bad:
 		}
 #endif
 
-	if (c_no_resumption_on_reneg)
-		SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 	if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
 		goto end;
 #ifndef OPENSSL_NO_TLSEXT
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index a8ab16875a..bbda10a76a 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -133,6 +133,10 @@ Use server and not client preference order when determining which cipher suite,
 signature algorithm or elliptic curve to use for an incoming connection.
 Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
 
+=item B<-no_resumption_on_reneg>
+
+set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
+
 =item B<-legacyrenegotiation>
 
 permits the use of unsafe legacy renegotiation. Equivalent to setting
@@ -292,6 +296,9 @@ determining which cipher suite, signature algorithm or elliptic curve
 to use for an incoming connection.  Equivalent to
 B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
 
+B<NoResumptionOnRenegotiation> set
+B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers.
+
 B<UnsafeLegacyRenegotiation> permits the use of unsafe legacy renegotiation.
 Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
 
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 419400aa24..cdefd206a2 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -212,6 +212,7 @@ static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd)
 		SSL_FLAG_TBL_SRV("serverpref", SSL_OP_CIPHER_SERVER_PREFERENCE),
 		SSL_FLAG_TBL("legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
 		SSL_FLAG_TBL_SRV("legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
+		SSL_FLAG_TBL_SRV("no_resumption_on_reneg", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
 		SSL_FLAG_TBL_SRV_INV("no_legacy_server_connect", SSL_OP_LEGACY_SERVER_CONNECT),
 		SSL_FLAG_TBL_CERT("strict", SSL_CERT_FLAG_TLS_STRICT),
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
@@ -355,6 +356,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
 		SSL_FLAG_TBL("Bugs", SSL_OP_ALL),
 		SSL_FLAG_TBL_INV("Compression", SSL_OP_NO_COMPRESSION),
 		SSL_FLAG_TBL_SRV("ServerPreference", SSL_OP_CIPHER_SERVER_PREFERENCE),
+		SSL_FLAG_TBL_SRV("NoResumptionOnRenegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION),
 		SSL_FLAG_TBL_SRV("DHSingle", SSL_OP_SINGLE_DH_USE),
 		SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),
 		SSL_FLAG_TBL("UnsafeLegacyRenegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),
-- 
2.25.1