Updated Branches: refs/heads/master fc3b25fe4 -> 439b504f1
TS-2416: configurable TLS session timeout threshold Default is 300 seconds. It's good to be configurable so that application can specify the threshold for the expiration of internal session and session ticket. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/439b504f Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/439b504f Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/439b504f Branch: refs/heads/master Commit: 439b504f137fa4fa3d31506afd4ad8d3a631783f Parents: fc3b25f Author: Wei Sun <[email protected]> Authored: Wed Dec 4 10:20:31 2013 -0800 Committer: James Peach <[email protected]> Committed: Wed Dec 4 10:26:26 2013 -0800 ---------------------------------------------------------------------- CHANGES | 5 ++++- doc/reference/configuration/records.config.en.rst | 6 ++++++ iocore/net/P_SSLConfig.h | 1 + iocore/net/SSLConfig.cc | 2 ++ iocore/net/SSLUtils.cc | 3 +++ mgmt/RecordsConfig.cc | 3 ++- 6 files changed, 18 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 94ccedb..504e1a0 100644 --- a/CHANGES +++ b/CHANGES @@ -2,9 +2,12 @@ Changes with Apache Traffic Server 4.2.0 + *) [TS-2416] Make TLS the session timeout threshold configurable. + Author: Wei Sun <[email protected]> + *) [TS-2335] adding ts_lua plugin to experimental directory - *) [TS-2347] buffer_upload uses unsafe function tempnam(). Replace it + *) [TS-2347] buffer_upload uses unsafe function tempnam(). Replace it with mkstemp() *) [TS-1815] Add thread number and port to accept thread name and http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/doc/reference/configuration/records.config.en.rst ---------------------------------------------------------------------- diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst index fc17b3e..f95dfc8 100644 --- a/doc/reference/configuration/records.config.en.rst +++ b/doc/reference/configuration/records.config.en.rst @@ -1957,6 +1957,12 @@ SSL Termination buffering at the SSL layer. The default of ``0`` means to always write all available data into a single SSL record. +.. ts:cv:: CONFIG proxy.config.ssl.session_cache.timeout INT 0 + + This configuration specifies the lifetime of SSL session cache + entries in seconds. If it is ``0``, then the SSL library will use + a default value, typically 300 seconds. + Client-Related Configuration ---------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/iocore/net/P_SSLConfig.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index facfb25..b258b6c 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -66,6 +66,7 @@ struct SSLConfigParams : public ConfigInfo int verify_depth; int ssl_session_cache; // SSL_SESSION_CACHE_MODE int ssl_session_cache_size; + int ssl_session_cache_timeout; char * clientCertPath; char * clientKeyPath; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 9c75fcc..72b7c42 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -64,6 +64,7 @@ SSLConfigParams::SSLConfigParams() ssl_ctx_options = 0; ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER; ssl_session_cache_size = 1024*20; + ssl_session_cache_timeout = 0; } SSLConfigParams::~SSLConfigParams() @@ -184,6 +185,7 @@ SSLConfigParams::initialize() // SSL session cache configurations REC_ReadConfigInteger(ssl_session_cache, "proxy.config.ssl.session_cache"); REC_ReadConfigInteger(ssl_session_cache_size, "proxy.config.ssl.session_cache.size"); + REC_ReadConfigInteger(ssl_session_cache_timeout, "proxy.config.ssl.session_cache.timeout"); // SSL record size REC_EstablishStaticConfigInt32(ssl_maxrecord, "proxy.config.ssl.max_record_size"); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 19f65b6..228870a 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -310,6 +310,9 @@ SSLInitServerContext( case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER: SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); SSL_CTX_sess_set_cache_size(ctx, params->ssl_session_cache_size); + if (params->ssl_session_cache_timeout) { + SSL_CTX_set_timeout(ctx, params->ssl_session_cache_timeout); + } break; } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index cc4a74f..a54e018 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1275,7 +1275,8 @@ RecordElement RecordsConfig[] = { , {RECT_CONFIG, "proxy.config.ssl.max_record_size", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} , - + {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} + , //############################################################################## //# ICP Configuration //##############################################################################
