Repository: trafficserver Updated Branches: refs/heads/master 269a75bf4 -> 5146b1261
TS-3080: We don't need to verify SNI names when properly setting the session context (TS-3125) Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/5146b126 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/5146b126 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/5146b126 Branch: refs/heads/master Commit: 5146b1261c4a6258ac0aab7a7a6f1bb980cd76bc Parents: 269a75b Author: Brian Geffon <[email protected]> Authored: Fri Oct 10 12:39:54 2014 -0700 Committer: Brian Geffon <[email protected]> Committed: Fri Oct 10 12:39:54 2014 -0700 ---------------------------------------------------------------------- iocore/net/SSLSessionCache.cc | 31 ++++++++++--------------------- iocore/net/SSLSessionCache.h | 15 +++++++-------- iocore/net/SSLUtils.cc | 17 ++++++++--------- 3 files changed, 25 insertions(+), 38 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5146b126/iocore/net/SSLSessionCache.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLSessionCache.cc b/iocore/net/SSLSessionCache.cc index 5b36907..8fb30d8 100644 --- a/iocore/net/SSLSessionCache.cc +++ b/iocore/net/SSLSessionCache.cc @@ -48,7 +48,7 @@ SSLSessionCache::~SSLSessionCache() { delete []session_bucket; } -bool SSLSessionCache::getSession(const SSLSessionID &sid, const char *sni_name, SSL_SESSION **sess) { +bool SSLSessionCache::getSession(const SSLSessionID &sid, SSL_SESSION **sess) const { uint64_t hash = sid.hash(); uint64_t target_bucket = hash % SSLConfigParams::session_cache_number_buckets; SSLSessionBucket *bucket = &session_bucket[target_bucket]; @@ -60,7 +60,7 @@ bool SSLSessionCache::getSession(const SSLSessionID &sid, const char *sni_name, Debug("ssl.session_cache.get", "SessionCache looking in bucket %" PRId64 " (%p) for session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf, hash); } - ret = bucket->getSession(sid, sni_name, sess); + ret = bucket->getSession(sid, sess); if (ret) SSL_INCREMENT_DYN_STAT(ssl_session_cache_hit); @@ -85,7 +85,7 @@ void SSLSessionCache::removeSession(const SSLSessionID &sid) { bucket->removeSession(sid); } -void SSLSessionCache::insertSession(const SSLSessionID &sid, const char *sni_name, SSL_SESSION *sess) { +void SSLSessionCache::insertSession(const SSLSessionID &sid, SSL_SESSION *sess) { uint64_t hash = sid.hash(); uint64_t target_bucket = hash % SSLConfigParams::session_cache_number_buckets; SSLSessionBucket *bucket = &session_bucket[target_bucket]; @@ -96,10 +96,10 @@ void SSLSessionCache::insertSession(const SSLSessionID &sid, const char *sni_nam Debug("ssl.session_cache.insert", "SessionCache using bucket %" PRId64 " (%p): Inserting session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf, hash); } - bucket->insertSession(sid, sni_name, sess); + bucket->insertSession(sid, sess); } -void SSLSessionBucket::insertSession(const SSLSessionID &id, const char *sni_name, SSL_SESSION *sess) { +void SSLSessionBucket::insertSession(const SSLSessionID &id, SSL_SESSION *sess) { size_t len = i2d_SSL_SESSION(sess, NULL); // make sure we're not going to need more than SSL_MAX_SESSION_SIZE bytes /* do not cache a session that's too big. */ if (len > (size_t) SSL_MAX_SESSION_SIZE) { @@ -110,7 +110,7 @@ void SSLSessionBucket::insertSession(const SSLSessionID &id, const char *sni_nam if (is_debug_tag_set("ssl.session_cache")) { char buf[id.len * 2 + 1]; id.toString(buf, sizeof(buf)); - Debug("ssl.session_cache", "Inserting session '%s' to bucket %p with sni name '%s'", buf, this, sni_name); + Debug("ssl.session_cache", "Inserting session '%s' to bucket %p.", buf, this); } Ptr<IOBufferData> buf; @@ -119,7 +119,7 @@ void SSLSessionBucket::insertSession(const SSLSessionID &id, const char *sni_nam unsigned char *loc = reinterpret_cast<unsigned char *>(buf->data()); i2d_SSL_SESSION(sess, &loc); - SSLSession *ssl_session = new SSLSession(id, sni_name, buf, len); + SSLSession *ssl_session = new SSLSession(id, buf, len); ink_scoped_try_mutex scoped_mutex(mutex); if (!scoped_mutex.hasLock()) { @@ -141,15 +141,14 @@ void SSLSessionBucket::insertSession(const SSLSessionID &id, const char *sni_nam PRINT_BUCKET("insertSession after") } - - -bool SSLSessionBucket::getSession(const SSLSessionID &id, const char *sni_name, SSL_SESSION **sess) { +bool SSLSessionBucket::getSession(const SSLSessionID &id, SSL_SESSION **sess) const { char buf[id.len * 2 + 1]; + buf[0] = '\0'; // just to be safe. if (is_debug_tag_set("ssl.session_cache")) { id.toString(buf, sizeof(buf)); } - Debug("ssl.session_cache", "Looking for session with id '%s' in bucket %p with sni name '%s'", buf, this, sni_name); + Debug("ssl.session_cache", "Looking for session with id '%s' in bucket %p", buf, this); ink_scoped_try_mutex scoped_mutex(mutex); if (!scoped_mutex.hasLock()) { @@ -166,20 +165,11 @@ bool SSLSessionBucket::getSession(const SSLSessionID &id, const char *sni_name, while (node) { if (node->session_id == id) { - if ((node->sni_name == NULL && sni_name == NULL) /* this session doesn't have an associated SNI name */|| - (node->sni_name && sni_name && strcmp(node->sni_name, sni_name) == 0)) { /* the session does have an associated SNI name */ - Debug("ssl.session_cache", "Found session with id '%s' in bucket %p with sni name '%s'.", buf, this, sni_name); - const unsigned char *loc = reinterpret_cast<const unsigned char *>(node->asn1_data->data()); *sess = d2i_SSL_SESSION(NULL, &loc, node->len_asn1_data); return true; - } else { - Debug("ssl.session_cache", "Found session with id '%s' in bucket %p but sni names didn't match! '%s' != '%s'.", buf, this, node->sni_name, sni_name); - return false; - } } - node = node->link.prev; } @@ -236,7 +226,6 @@ void SSLSessionBucket::removeSession(const SSLSessionID &id) { /* Session Bucket */ SSLSessionBucket::SSLSessionBucket() { - Debug("ssl.session_cache", "Created new bucket %p with max size %ld", this, SSLConfigParams::session_cache_max_bucket_size); ink_mutex_init(&mutex, "session_bucket"); } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5146b126/iocore/net/SSLSessionCache.h ---------------------------------------------------------------------- diff --git a/iocore/net/SSLSessionCache.h b/iocore/net/SSLSessionCache.h index ce5c8b1..82f4959 100644 --- a/iocore/net/SSLSessionCache.h +++ b/iocore/net/SSLSessionCache.h @@ -33,7 +33,7 @@ #include "RbTree.h" #include <openssl/ssl.h> -#define SSL_MAX_SESSION_SIZE 2048 +#define SSL_MAX_SESSION_SIZE 256 struct SSLSessionID { char bytes[SSL_MAX_SSL_SESSION_ID_LENGTH]; @@ -104,12 +104,11 @@ struct SSLSessionID { class SSLSession { public: SSLSessionID session_id; - const char *sni_name; Ptr<IOBufferData> asn1_data; /* this is the ASN1 representation of the SSL_CTX */ size_t len_asn1_data; - SSLSession(const SSLSessionID &id, const char *name, Ptr<IOBufferData> ssl_asn1_data, size_t len_asn1) - : session_id(id), sni_name(name), asn1_data(ssl_asn1_data), len_asn1_data(len_asn1) + SSLSession(const SSLSessionID &id, Ptr<IOBufferData> ssl_asn1_data, size_t len_asn1) + : session_id(id), asn1_data(ssl_asn1_data), len_asn1_data(len_asn1) { } LINK(SSLSession, link); @@ -120,8 +119,8 @@ public: SSLSessionBucket(); ~SSLSessionBucket(); void removeOldestSession(); - void insertSession(const SSLSessionID &, const char *sni_name, SSL_SESSION *ctx); - bool getSession(const SSLSessionID &, const char *sni_name, SSL_SESSION **ctx); + void insertSession(const SSLSessionID &, SSL_SESSION *ctx); + bool getSession(const SSLSessionID &, SSL_SESSION **ctx) const; void removeSession(const SSLSessionID &); private: @@ -134,8 +133,8 @@ private: class SSLSessionCache { public: - bool getSession(const SSLSessionID &sid, const char *sni_name, SSL_SESSION **sess); - void insertSession(const SSLSessionID &sid, const char *sni_name, SSL_SESSION *sess); + bool getSession(const SSLSessionID &sid, SSL_SESSION **sess) const; + void insertSession(const SSLSessionID &sid, SSL_SESSION *sess); void removeSession(const SSLSessionID &sid); SSLSessionCache(); ~SSLSessionCache(); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/5146b126/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 7fede11..b2a1c63 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -180,19 +180,19 @@ SSL_CTX_add_extra_chain_cert_file(SSL_CTX * ctx, const char * chainfile) static SSL_SESSION* ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, int *copy) { - const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); *copy = 0; SSLSessionID sid(id, len); if (diags->tag_activated("ssl.session_cache")) { char printable_buf[(len * 2) + 1]; sid.toString(printable_buf, sizeof(printable_buf)); - Debug("ssl.session_cache.get", "ssl_get_cached_session cached session '%s' on name '%s'", printable_buf, servername); + Debug("ssl.session_cache.get", "ssl_get_cached_session cached session '%s' context %p", printable_buf, SSL_get_SSL_CTX(ssl)); } SSL_SESSION *session = NULL; - if(session_cache->getSession(sid, servername, &session)) + if(session_cache->getSession(sid, &session)) { return session; + } else return NULL; @@ -201,16 +201,15 @@ static SSL_SESSION* ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, static int ssl_new_cached_session(SSL *ssl, SSL_SESSION *sess) { unsigned int len = 0; const unsigned char *id = SSL_SESSION_get_id(sess, &len); - const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); SSLSessionID sid(id, len); if (diags->tag_activated("ssl.session_cache")) { char printable_buf[(len * 2) + 1]; sid.toString(printable_buf, sizeof(printable_buf)); - Debug("ssl.session_cache.insert", "ssl_new_cached_session session '%s' on name '%s'", printable_buf, servername); + Debug("ssl.session_cache.insert", "ssl_new_cached_session session '%s' and context %p", printable_buf, SSL_get_SSL_CTX(ssl)); } - session_cache->insertSession(sid, servername, sess); + session_cache->insertSession(sid, sess); return 0; } @@ -1067,8 +1066,8 @@ SSLInitServerContext( SSL_CTX_set_options(ctx, params->ssl_ctx_options); Debug("ssl.session_cache", "ssl context=%p: using session cache options, enabled=%d, size=%d, num_buckets=%d, skip_on_contention=%d, timeout=%d", - ctx, params->ssl_session_cache, params->ssl_session_cache_size, params->ssl_session_cache_num_buckets, - params->ssl_session_cache_skip_on_contention, params->ssl_session_cache_timeout); + ctx, params->ssl_session_cache, params->ssl_session_cache_size, params->ssl_session_cache_num_buckets, + params->ssl_session_cache_skip_on_contention, params->ssl_session_cache_timeout); if (params->ssl_session_cache_timeout) { SSL_CTX_set_timeout(ctx, params->ssl_session_cache_timeout); @@ -1081,7 +1080,7 @@ SSLInitServerContext( SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF | SSL_SESS_CACHE_NO_INTERNAL); break; case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL: - Debug("ssl.session_cache", "enabling SSL session cache with OpenSSL implementation"); + Debug("ssl.session_cache", "enabling SSL session cache with OpenSSL implementation"); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); SSL_CTX_sess_set_cache_size(ctx, params->ssl_session_cache_size);
