[PATCH] SSL: raised limit for upstream session size

Sergey Kandaurov Fri, 22 Dec 2023 06:28:50 -0800

# HG changeset patch
# User Sergey Kandaurov <pluk...@nginx.com>
# Date 1703255284 -14400
#      Fri Dec 22 18:28:04 2023 +0400
# Node ID a463fb67e143c051fd373d1df94e5813a37d5cea
# Parent  44266e0651c44f530c4aa66e68c1b9464a9acee7
SSL: raised limit for upstream session size.


Unlike shared session cache used to store multiple client SSL sessions and
which may be per a single SSL connection, sessions saved from upstream are
per upstream server peer, so there is no such multiplier effect, but they
may be of noticeably larger size due to session tickets being used.

It was observed that session tickets sent from JVM backends may result in
a decoded session size nearly the previous maximum session size limit of
4096 or slightly beyond.  Raising the limit allows to save such sessions.

diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -137,7 +137,8 @@ struct ngx_ssl_connection_s {
 #define NGX_SSL_DFLT_BUILTIN_SCACHE  -5
 
 
-#define NGX_SSL_MAX_SESSION_SIZE  4096
+#define NGX_SSL_MAX_SESSION_SIZE         4096
+#define NGX_SSL_CLIENT_MAX_SESSION_SIZE  8192
 
 typedef struct ngx_ssl_sess_id_s  ngx_ssl_sess_id_t;
 
diff --git a/src/http/ngx_http_upstream_round_robin.c 
b/src/http/ngx_http_upstream_round_robin.c
--- a/src/http/ngx_http_upstream_round_robin.c
+++ b/src/http/ngx_http_upstream_round_robin.c
@@ -685,7 +685,7 @@ ngx_http_upstream_set_round_robin_peer_s
     int                            len;
     const u_char                  *p;
     ngx_http_upstream_rr_peers_t  *peers;
-    u_char                         buf[NGX_SSL_MAX_SESSION_SIZE];
+    u_char                         buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
 #endif
 
     peer = rrp->current;
@@ -747,7 +747,7 @@ ngx_http_upstream_save_round_robin_peer_
     int                            len;
     u_char                        *p;
     ngx_http_upstream_rr_peers_t  *peers;
-    u_char                         buf[NGX_SSL_MAX_SESSION_SIZE];
+    u_char                         buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
 #endif
 
 #if (NGX_HTTP_UPSTREAM_ZONE)
@@ -768,7 +768,7 @@ ngx_http_upstream_save_round_robin_peer_
 
         /* do not cache too big session */
 
-        if (len > NGX_SSL_MAX_SESSION_SIZE) {
+        if (len > NGX_SSL_CLIENT_MAX_SESSION_SIZE) {
             return;
         }
 
diff --git a/src/stream/ngx_stream_upstream_round_robin.c 
b/src/stream/ngx_stream_upstream_round_robin.c
--- a/src/stream/ngx_stream_upstream_round_robin.c
+++ b/src/stream/ngx_stream_upstream_round_robin.c
@@ -717,7 +717,7 @@ ngx_stream_upstream_set_round_robin_peer
     int                              len;
     const u_char                    *p;
     ngx_stream_upstream_rr_peers_t  *peers;
-    u_char                           buf[NGX_SSL_MAX_SESSION_SIZE];
+    u_char                           buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
 #endif
 
     peer = rrp->current;
@@ -779,7 +779,7 @@ ngx_stream_upstream_save_round_robin_pee
     int                              len;
     u_char                          *p;
     ngx_stream_upstream_rr_peers_t  *peers;
-    u_char                           buf[NGX_SSL_MAX_SESSION_SIZE];
+    u_char                           buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
 #endif
 
 #if (NGX_STREAM_UPSTREAM_ZONE)
@@ -800,7 +800,7 @@ ngx_stream_upstream_save_round_robin_pee
 
         /* do not cache too big session */
 
-        if (len > NGX_SSL_MAX_SESSION_SIZE) {
+        if (len > NGX_SSL_CLIENT_MAX_SESSION_SIZE) {
             return;
         }
 
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] SSL: raised limit for upstream session size

Reply via email to