[
https://issues.apache.org/jira/browse/TS-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leif Hedstrom updated TS-3687:
------------------------------
Fix Version/s: (was: 6.0.0)
6.1.0
> ATS Session Cache table never removes expired sessions
> ------------------------------------------------------
>
> Key: TS-3687
> URL: https://issues.apache.org/jira/browse/TS-3687
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Susan Hinrichs
> Assignee: Susan Hinrichs
> Fix For: 6.1.0
>
>
> While this sounds bad, it is only a performance issue. It is not a security
> issue. Openssl will not allow the expired sessions to be used.
> Here are the details.
> When you use the ATS version of the ssl session cache, ATS registers
> callbacks to handle creating new sessions, getting existing sessions,
> and removing old sessions. While debugging the new session plugin API,
> I saw that the new sessions and get session callbacks were being
> triggered but the remove session callback was never being triggered.
> At first I was concerned that we were never removing sessions from the
> cache and reusing them forever. I poked through the openssl 1.0.1 (and
> briefly the 1.0.2) code and set some break points, and verified that the
> stale sessions are being rejected but the code only tries to remove it
> from the openssl internal cache implementation (which failed and so the
> remove callback was never triggered).
> So I think this is only a performance problem. The old session cache is
> never removed from the ATS session cache until we run out of space and
> the old values are evicted.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
