Add support to disable session ticket

pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_options.yml

@@ -30,6 +30,7 @@ spec:
   cipherSuites:
     - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     - TLS_RSA_WITH_AES_256_GCM_SHA384
+  disableSessionTickets: true
   clientAuth:
     secretNames:
       - secret-ca1

pkg/provider/kubernetes/crd/fixtures/with_tls_options.yml

@@ -30,6 +30,7 @@ spec:
   cipherSuites:
     - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     - TLS_RSA_WITH_AES_256_GCM_SHA384
+  disableSessionTickets: true
   clientAuth:
     secretNames:
       - secret-ca1

pkg/provider/kubernetes/crd/kubernetes.go

@@ -1273,6 +1273,8 @@ func buildTLSOptions(ctx context.Context, client Client) map[string]tls.Options
 			tlsOption.ALPNProtocols = tlsOptionsCRD.Spec.ALPNProtocols
 		}
 
+		tlsOption.DisableSessionTickets = tlsOptionsCRD.Spec.DisableSessionTickets
+
 		tlsOptions[id] = tlsOption
 	}
 

pkg/provider/kubernetes/crd/kubernetes_test.go

@@ -732,7 +732,8 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 								},
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
-							SniStrict: true,
+							SniStrict:             true,
+							DisableSessionTickets: true,
 							ALPNProtocols: []string{
 								"h2",
 								"http/1.1",
@@ -3401,7 +3402,8 @@ func TestLoadIngressRoutes(t *testing.T) {
 								},
 								ClientAuthType: "VerifyClientCertIfGiven",
 							},
-							SniStrict: true,
+							SniStrict:             true,
+							DisableSessionTickets: true,
 							ALPNProtocols: []string{
 								"h2",
 								"http/1.1",

pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go

@@ -44,7 +44,8 @@ type TLSOptionSpec struct {
 	// ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
 	// More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
 	ALPNProtocols []string `json:"alpnProtocols,omitempty"`
-
+	// DisableSessionTickets disables TLS session resumption via session tickets.
+	DisableSessionTickets bool `json:"disableSessionTickets,omitempty"`
 	// PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
 	// It is enabled automatically when minVersion or maxVersion is set.
 	// Deprecated: https://github.com/golang/go/issues/45430

pkg/tls/tls.go

@@ -18,13 +18,14 @@ type ClientAuth struct {
 
 // Options configures TLS for an entry point.
 type Options struct {
-	MinVersion       string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
-	MaxVersion       string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
-	CipherSuites     []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty" export:"true"`
-	CurvePreferences []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"`
-	ClientAuth       ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
-	SniStrict        bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
-	ALPNProtocols    []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
+	MinVersion            string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
+	MaxVersion            string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
+	CipherSuites          []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty" export:"true"`
+	CurvePreferences      []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"`
+	ClientAuth            ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
+	SniStrict             bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
+	ALPNProtocols         []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
+	DisableSessionTickets bool       `json:"disableSessionTickets,omitempty" toml:"disableSessionTickets,omitempty" yaml:"disableSessionTickets,omitempty" export:"true"`
 
 	// Deprecated: https://github.com/golang/go/issues/45430
 	PreferServerCipherSuites *bool `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"`

pkg/tls/tlsmanager.go

@@ -325,7 +325,8 @@ func getDefaultCertificate(ctx context.Context, tlsStore Store, st *CertificateS
 // creates a TLS config that allows terminating HTTPS for multiple domains using SNI.
 func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
 	conf := &tls.Config{
-		NextProtos: tlsOption.ALPNProtocols,
+		NextProtos:             tlsOption.ALPNProtocols,
+		SessionTicketsDisabled: tlsOption.DisableSessionTickets,
 	}
 
 	if len(tlsOption.ClientAuth.CAFiles) > 0 {

pkg/tls/tlsmanager_test.go

@@ -331,6 +331,7 @@ func TestManager_Get_DefaultValues(t *testing.T) {
 	config, _ := tlsManager.Get("default", "default")
 	assert.Equal(t, uint16(tls.VersionTLS12), config.MinVersion)
 	assert.Equal(t, []string{"h2", "http/1.1", "acme-tls/1"}, config.NextProtos)
+	assert.False(t, config.SessionTicketsDisabled)
 	assert.Equal(t, []uint16{
 		tls.TLS_AES_128_GCM_SHA256,
 		tls.TLS_AES_256_GCM_SHA384,