[PATCH] SSL: respect session timeout in configs without session cache.
Maxim Dounin
mdounin at mdounin.ru
Thu Oct 10 12:48:58 UTC 2013
Hello!
On Wed, Oct 09, 2013 at 02:21:08PM -0700, Piotr Sikora wrote:
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1381353349 25200
> # Wed Oct 09 14:15:49 2013 -0700
> # Node ID 6d1d1c6d346839d3ccdca92cee32bc9887c19841
> # Parent 5483d9e77b3287b00b1104a07688bda37bc7351e
> SSL: respect session timeout in configs without session cache.
>
> Previously, session timeout value was used only when session cache
> was configured, which meant that in configurations without it,
> Session Tickets would always get 5 minutes timeout hint, regardless
> of the configured session timeout.
>
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
>
> diff -r 5483d9e77b32 -r 6d1d1c6d3468 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Wed Oct 02 15:07:17 2013 +0400
> +++ b/src/event/ngx_event_openssl.c Wed Oct 09 14:15:49 2013 -0700
> @@ -1700,7 +1700,7 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_
>
> ngx_int_t
> ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
> - ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
> + ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone)
> {
> long cache_mode;
>
> @@ -1749,8 +1749,6 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ng
> }
> }
>
> - SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
> -
> if (shm_zone) {
> SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
> SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
[...]
I don't see a real reason for the API change, and direct use of
SSL_CTX_set_timeout() in http/mail ssl modules. What about this
instead:
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1704,6 +1704,8 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl,
{
long cache_mode;
+ SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
+
if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
return NGX_OK;
@@ -1749,8 +1751,6 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl,
}
}
- SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
-
if (shm_zone) {
SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
?
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list