Repository: trafficserver Updated Branches: refs/heads/master 099f0ad64 -> d2cef5fbc
TS-3127: Add config for OpenSSL session cache auto clear Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f9cb232b Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f9cb232b Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f9cb232b Branch: refs/heads/master Commit: f9cb232b2e1f0718e31fc08924ec1728ff3f9304 Parents: 099f0ad Author: Brian Geffon <[email protected]> Authored: Fri Oct 10 13:43:12 2014 -0700 Committer: Brian Geffon <[email protected]> Committed: Fri Oct 10 13:43:12 2014 -0700 ---------------------------------------------------------------------- iocore/net/P_SSLConfig.h | 1 + iocore/net/SSLConfig.cc | 2 ++ iocore/net/SSLUtils.cc | 11 +++++++---- mgmt/RecordsConfig.cc | 2 ++ 4 files changed, 12 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f9cb232b/iocore/net/P_SSLConfig.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index 0cad7d9..a3cb3ed 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -74,6 +74,7 @@ struct SSLConfigParams : public ConfigInfo int ssl_session_cache_num_buckets; int ssl_session_cache_skip_on_contention; int ssl_session_cache_timeout; + int ssl_session_cache_auto_clear; char * clientCertPath; char * clientKeyPath; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f9cb232b/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 3aaddc1..6a72914 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -80,6 +80,7 @@ SSLConfigParams::SSLConfigParams() ssl_session_cache_num_buckets = 1024; // Sessions per bucket is ceil(ssl_session_cache_size / ssl_session_cache_num_buckets) ssl_session_cache_skip_on_contention = 0; ssl_session_cache_timeout = 0; + ssl_session_cache_auto_clear = 1; } SSLConfigParams::~SSLConfigParams() @@ -258,6 +259,7 @@ SSLConfigParams::initialize() REC_ReadConfigInteger(ssl_session_cache_num_buckets, "proxy.config.ssl.session_cache.num_buckets"); REC_ReadConfigInteger(ssl_session_cache_skip_on_contention, "proxy.config.ssl.session_cache.skip_cache_on_bucket_contention"); REC_ReadConfigInteger(ssl_session_cache_timeout, "proxy.config.ssl.session_cache.timeout"); + REC_ReadConfigInteger(ssl_session_cache_auto_clear, "proxy.config.ssl.session_cache.auto_clear"); SSLConfigParams::session_cache_max_bucket_size = ceil(ssl_session_cache_size/ssl_session_cache_num_buckets ); SSLConfigParams::session_cache_skip_on_lock_contention = ssl_session_cache_skip_on_contention; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f9cb232b/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 400e7c7..8fcc0b8 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1068,14 +1068,17 @@ SSLInitServerContext( // disable selected protocols SSL_CTX_set_options(ctx, params->ssl_ctx_options); - Debug("ssl.session_cache", "ssl context=%p: using session cache options, enabled=%d, size=%d, num_buckets=%d, skip_on_contention=%d, timeout=%d", + Debug("ssl.session_cache", "ssl context=%p: using session cache options, enabled=%d, size=%d, num_buckets=%d, skip_on_contention=%d, timeout=%d, auto_clear=%d", ctx, params->ssl_session_cache, params->ssl_session_cache_size, params->ssl_session_cache_num_buckets, - params->ssl_session_cache_skip_on_contention, params->ssl_session_cache_timeout); + params->ssl_session_cache_skip_on_contention, params->ssl_session_cache_timeout, params->ssl_session_cache_auto_clear); if (params->ssl_session_cache_timeout) { SSL_CTX_set_timeout(ctx, params->ssl_session_cache_timeout); } + int additional_cache_flags = 0; + additional_cache_flags |= (params->ssl_session_cache_auto_clear == 0) ? SSL_SESS_CACHE_NO_AUTO_CLEAR : 0; + switch (params->ssl_session_cache) { case SSLConfigParams::SSL_SESSION_CACHE_MODE_OFF: Debug("ssl.session_cache", "disabling SSL session cache"); @@ -1085,7 +1088,7 @@ SSLInitServerContext( case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL: Debug("ssl.session_cache", "enabling SSL session cache with OpenSSL implementation"); - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | additional_cache_flags); SSL_CTX_sess_set_cache_size(ctx, params->ssl_session_cache_size); break; case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL: { @@ -1095,7 +1098,7 @@ SSLInitServerContext( SSL_CTX_sess_set_remove_cb(ctx, ssl_rm_cached_session); SSL_CTX_sess_set_get_cb(ctx, ssl_get_cached_session); - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL); + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL | additional_cache_flags); break; } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f9cb232b/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index b75bc29..59c4f73 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1300,6 +1300,8 @@ RecordElement RecordsConfig[] = { , {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.session_cache.auto_clear", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} + , {RECT_CONFIG, "proxy.config.ssl.hsts_max_age", RECD_INT, "-1", RECU_DYNAMIC, RR_NULL, RECC_STR, "^-?[0-9]+$", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.hsts_include_subdomains", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
