Add support to disable session ticket

pkg/tls/tls.go

@@ -18,13 +18,14 @@ type ClientAuth struct {
 
 // Options configures TLS for an entry point.
 type Options struct {
-	MinVersion       string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
-	MaxVersion       string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
-	CipherSuites     []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty" export:"true"`
-	CurvePreferences []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"`
-	ClientAuth       ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
-	SniStrict        bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
-	ALPNProtocols    []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
+	MinVersion            string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
+	MaxVersion            string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
+	CipherSuites          []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty" export:"true"`
+	CurvePreferences      []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"`
+	ClientAuth            ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
+	SniStrict             bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
+	ALPNProtocols         []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
+	DisableSessionTickets bool       `json:"disableSessionTickets,omitempty" toml:"disableSessionTickets,omitempty" yaml:"disableSessionTickets,omitempty" export:"true"`
 
 	// Deprecated: https://github.com/golang/go/issues/45430
 	PreferServerCipherSuites *bool `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"`

pkg/tls/tlsmanager.go

@@ -325,7 +325,8 @@ func getDefaultCertificate(ctx context.Context, tlsStore Store, st *CertificateS
 // creates a TLS config that allows terminating HTTPS for multiple domains using SNI.
 func buildTLSConfig(tlsOption Options) (*tls.Config, error) {
 	conf := &tls.Config{
-		NextProtos: tlsOption.ALPNProtocols,
+		NextProtos:             tlsOption.ALPNProtocols,
+		SessionTicketsDisabled: tlsOption.DisableSessionTickets,
 	}
 
 	if len(tlsOption.ClientAuth.CAFiles) > 0 {

pkg/tls/tlsmanager_test.go

@@ -331,6 +331,7 @@ func TestManager_Get_DefaultValues(t *testing.T) {
 	config, _ := tlsManager.Get("default", "default")
 	assert.Equal(t, uint16(tls.VersionTLS12), config.MinVersion)
 	assert.Equal(t, []string{"h2", "http/1.1", "acme-tls/1"}, config.NextProtos)
+	assert.False(t, config.SessionTicketsDisabled)
 	assert.Equal(t, []uint16{
 		tls.TLS_AES_128_GCM_SHA256,
 		tls.TLS_AES_256_GCM_SHA384,