duke8253 edited a comment on pull request #7479:
URL: https://github.com/apache/trafficserver/pull/7479#issuecomment-779424014
After some testing, I'm not sure we'll need to add any of the other call
back functions, nor do we want to use openssl's internal cache system. Here's
what I did:
Just two simple cb functions to see when they're called,
```
static void
remove_origin_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
{
Debug("ssl.origin_session_cache", "remove_origin_session_cb");
}
static SSL_SESSION *
get_origin_session_cb(SSL *ssl, const unsigned char *id, int len, int *copy)
{
Debug("ssl.origin_session_cache", "get_origin_session_cb");
return nullptr;
}
```
And here's the debug output of a resumption to origin server, the two `get`
is because we do async handshakes, so it tries to grab the session twice. As
seen here, the `remove` happens right after the `get`, and before the actual
reuse success check. Which means that it will remove the session from the cache
after using it. But in order to do that, it'll need to acquire the lock and
access the cache to do a search. But with my implementation when inserting a
new session, this is already done at the same time, a new session always
overwrites the existing one matching the same sni/address, so it only need to
take the lock once and do the search once. Also, the `get` callback function
never gets called here since OpenSSL don't know when or what to get.
```
[Feb 15 13:46:41.242] [ET_NET 5] DEBUG: <SSLSessionCache.cc:348
(get_session)> (ssl.origin_session_cache) get session: 58adc5284aa3dcd
[Feb 15 13:46:41.243] [ET_NET 5] DEBUG: <SSLSessionCache.cc:348
(get_session)> (ssl.origin_session_cache) get session: 58adc5284aa3dcd
[Feb 15 13:46:41.243] [ET_NET 5] DEBUG: <SSLClientUtils.cc:192
(remove_origin_session_cb)> (ssl.origin_session_cache) remove_origin_session_cb
[Feb 15 13:46:41.243] [ET_NET 5] DEBUG: <SSLUtils.cc:1925 (SSLConnect)>
(ssl.origin_session_cache) reused session to origin: 58adc5284aa3dcd =
0x7f9c74f7f600
[Feb 15 13:46:41.243] [ET_NET 5] DEBUG: <SSLSessionCache.cc:316
(insert_session)> (ssl.origin_session_cache) insert session: 58adc5284aa3dcd =
0x7f9c7477f600
```
As for the internal cache, other than it stores the sessions in a different
way, it is still up to us to search for the session and use it during the
connection.
> As there is no reliable way for the OpenSSL library to know whether a
session should be reused or which session to choose (due to the abstract BIO
layer the SSL engine does not have details about the connection), the
application must select the session to be reused by using the
SSL_set_session(3) function.
And in order to access the internal cache, we'll need to use
`SSL_CTX_sessions`
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_sessions.html. It will get
us a `LHASH_OF(SSL_SESSION)`, and then we'll need to do the search with other
LHASH functions https://www.openssl.org/docs/man1.1.1/man3/lh_TYPE_doall.html
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
