On Wed, Aug 13, 2014 at 03:32:00PM -0400, Salz, Rich wrote:
> What's the programming model for using session cache with a multi-threaded
> server?
> When a client connects, a refcount on the object is incremented.
A lot depends on whether the cache is internal, or external via callbacks,
and wether session tickets are used.
> But then fields can be changed (such as ecpointformat). Does it
> make more sense for session to deep-copy the session from the cache?
With resumption, no actual ECDH key agreement or ECDSA certificate
use takes place, so perhaps such updates can be suppressed. The
resumed session should I think be essentially read-only.
Don't know the internal cache use-case well enough. With Postfix,
the session is always deep-copied, because the cache is external.
On the other-hand MTAs are not even remotely under as much TPS
pressure as web servers, so the latency of interacting with an
external cache daemon, doing deep copies, ... is not significant.
For other applications, that could be more problematic.
Postfix supports a single session object in the internal cache,
should it/can it instead set the internal cache size to zero?
/*
* Initialize the session cache.
*
* With a large number of concurrent smtpd(8) processes, it is not a
* good idea to cache multiple large session objects in each process.
* We set the internal cache size to 1, and don't register a
* "remove_cb" so as to avoid deleting good sessions from the
* external cache prematurely (when the internal cache is full,
* OpenSSL removes sessions from the external cache also)!
*
* This makes SSL_CTX_remove_session() not useful for flushing broken
* sessions from the external cache, so we must delete them directly
* (not via a callback).
*
* Set a session id context to identify to what type of server process
* created a session. In our case, the context is simply the name of
* the mail system: "Postfix/TLS".
*/
SSL_CTX_sess_set_cache_size(server_ctx, 1);
SSL_CTX_set_session_id_context(server_ctx,
(void *) &server_session_id_context,
sizeof(server_session_id_context));
SSL_CTX_set_session_cache_mode(server_ctx,
SSL_SESS_CACHE_SERVER |
SSL_SESS_CACHE_NO_AUTO_CLEAR);
if (cachable) {
app_ctx->cache_type = mystrdup(props->cache_type);
SSL_CTX_sess_set_get_cb(server_ctx, get_server_session_cb);
SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb);
}
I could probably add: SSL_SESS_CACHE_NO_INTERNAL to the cache mode,
and use the external cache exclusively. It is not clear whether
with a cache size of "1" I need to ever call SSL_CTX_flush_sessions(3).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
