<div dir="ltr"><div dir="ltr">Hello Maxim,</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Oct 9, 2021 at 12:57 PM Maxim Dounin <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello!<br>
<br>
On Sat, Oct 09, 2021 at 09:14:19AM +0800, DeJiang Zhu wrote:<br>
<br>
> Hi, Nginx developers:<br>
> <br>
> I'm investigating a segfault issue: it happens when both "builtin" and<br>
> "shared" cache types are used in ssl_session_cache and it disappear when<br>
> only use "shared".<br>
> <br>
> It's original reported here:<br>
> <a href="https://github.com/kubernetes/ingress-nginx/issues/7080#issuecomment-932293028" rel="noreferrer" target="_blank">https://github.com/kubernetes/ingress-nginx/issues/7080#issuecomment-932293028</a><br>
> And some more details here:<br>
> <a href="https://github.com/openssl/openssl/issues/16733#issue-1014329932" rel="noreferrer" target="_blank">https://github.com/openssl/openssl/issues/16733#issue-1014329932</a><br>
> <br>
> I haven't see any code on Nginx side that will directly manipulate the<br>
> session hash hash.<br>
> Could you please provide any suggestions? Thanks very much!<br>
<br>
By itself nginx does not try to manipulate OpenSSL's builtin <br>
session cache directly. Rather, nginx only controls if builtin <br>
cache is enabled and its size via SSL_CTX_set_session_cache_mode() <br>
and SSL_CTX_sess_set_cache_size(). Additionally, when nginx has <br>
reasons to remove a session, it calls SSL_CTX_remove_session() to <br>
remove a particular session.<br></blockquote><div><br></div><div>Got it. Thanks for your quick reply.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Note though that the links above indicate that you are using a <br>
fork rather than nginx itself, this might make a difference. <br>
Testing on vanilla nginx without any 3rd party modules might be a <br>
good idea, if it's possible.<br></blockquote><div><br></div><div>AFAIK, ingress-nginx only enabled the "ssl_session_cache" for session cache.</div><div>It hasn't enabled `ssl_session_fetch/store_by_lua" from lua-nginx-module.</div><div><br></div><div>It is only reproduced in some production cases, it's hard to reproduce it on vanilla Nginx.</div><div><br></div><div>Anyway, thanks again, and will update here when got more clues.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
-- <br>
Maxim Dounin<br>
<a href="http://mdounin.ru/" rel="noreferrer" target="_blank">http://mdounin.ru/</a><br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</blockquote></div></div>