[jira] [Commented] (TS-3687) ATS Session Cache table never removes expired sessions

Thu, 11 Jun 2015 15:54:24 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14582633#comment-14582633
 ] 

ASF GitHub Bot commented on TS-3687:
------------------------------------

GitHub user shinrich opened a pull request:

    https://github.com/apache/trafficserver/pull/222

    TS-3687: ATS Session Cache should remove expired sessions

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shinrich/trafficserver TS-3687

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/222.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #222
    
----
commit 8112de5644e53e8cb875b164108f3d8d622704ba
Author: shinrich <shinr...@yahoo-inc.com>
Date:   2015-06-11T22:40:58Z

    TS-3687: ATS Session Cache should remove expired sessions

----


> ATS Session Cache table never removes expired sessions
> ------------------------------------------------------
>
>                 Key: TS-3687
>                 URL: https://issues.apache.org/jira/browse/TS-3687
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Susan Hinrichs
>            Assignee: Susan Hinrichs
>
> While this sounds bad, it is only a performance issue.  It is not a security 
> issue.  Openssl will not allow the expired sessions to be used.
> Here are the details.
> When you use the ATS version of the ssl session cache, ATS registers
> callbacks to handle creating new sessions, getting existing sessions,
> and removing old sessions.  While debugging the new session plugin API,
> I saw that the new sessions and get session callbacks were being
> triggered but the remove session callback was never being triggered.
> At first I was concerned that we were never removing  sessions from the
> cache and reusing them forever.  I poked through the openssl 1.0.1 (and
> briefly the 1.0.2) code and set some break points, and verified that the
> stale sessions are being rejected but the code only tries to remove it
> from the openssl internal cache implementation (which failed and so the
> remove callback was never triggered).
> So I think this is only a performance problem.  The old session cache is
> never removed from the ATS session cache until we run out of space and
> the old values are evicted. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to