Hi, I keep seeing growth in memory usage.. suspecting a leak. Want to disable reference counting as well as stop caches so that i can isolate the issue.
It's all happening on client side. I will try disabling cache.. Mean while if any other inputs/pointers would be helpful. -thanks harish On Wed, Jan 27, 2021 at 3:32 PM Matt Caswell <m...@openssl.org> wrote: > > > On 26/01/2021 18:13, Harish Kulkarni wrote: > > Thank you both for bringing this to my attention, your points are > > invaluable. > > > > If this is something which gets set from server on client side. can > > client override this?. Can i change this to something less and try?. Has > > anyone tried?. > > > > Whats the option in openssl.conf or some other place?. > > The session timeout is something entirely controlled by the server. The > client has no influence on this*. If the server is using session tickets > for its sessions then it provides a lifetime hint to the client to say > how long the client can expect the session to be good for. The client > can query this using SSL_SESSION_get_ticket_lifetime_hint(). > > On the server the timeout can be configured using SSL_CTX_set_timeout(). > I don't think this is possible to change via openssl.conf. > > Matt > > > * Note that the client may be managing a cache of sessions provided by > servers. That's not something that happens by default in OpenSSL but can > be configured using SSL_CTX_set_session_cache_mode(). In that case there > will be separate timeouts associated with the life of the session in the > client cache. Those timeouts may not be the same as the server's timeouts. > > > > > -thanks > > harish > > > > > > On Mon, Jan 25, 2021 at 11:08 PM Matt Caswell <m...@openssl.org > > <mailto:m...@openssl.org>> wrote: > > > > > > > > On 23/01/2021 15:22, John Thoe wrote: > > > Hi list, > > > > > > The session reuse question posted on the mailing list earlier > > > > > ( > https://mta.openssl.org/pipermail/openssl-users/2021-January/013360.html) > > > reminded of a somewhat similar question I have. > > > > > > As per the docs, > > > > > > https://www.openssl.org/docs/man1.0.2/man3/SSL_get_default_timeout.html, > > > it says the default value is 300 seconds for which a session resuse > > > will be accepted. The docs say that it is the same for all > > > protocols. > > > > > > However I tried it with my setup where I didn't explicitly set the > > > timeout and I am getting 7200 seconds as the default value. > s_client > > > output: TLS session ticket lifetime hint: 7200 (seconds). My client > > > openssl.conf has no setting override (not that it should matter > > > because this is a server preference). No OpenSSL settings on the > > > server have been modified as well. > > > > Looks to me like the docs are wrong. They probably should say 7200. > > > > > > > > > > In ssl/ssl_sess.c#L80, the code matches the document: ss->timeout = > > > 60 * 5 + 4; /* 5 minute timeout by default */ ... (with > additional > > > four seconds?) > > > > > > This gets set during construction and then later overwritten when we > > actually get a new session via "ssl_get_new_session": > > > > /* If the context has a default timeout, use it */ > > if (s->session_ctx->session_timeout == 0) > > ss->timeout = SSL_get_default_timeout(s); > > else > > ss->timeout = s->session_ctx->session_timeout; > > > > In most cases SSL_get_default_timeout() calls tls1_default_timeout() > (it > > can end up somewhere different for certain protocol versions - but > all > > the different variants are the same!): > > > > long tls1_default_timeout(void) > > { > > /* > > * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too > > long for > > * http, the cache would over fill > > */ > > return (60 * 60 * 2); > > } > > > > 60 * 60 * 2 = 7200 > > > > > > Matt > > >