[PATCH] SSL: respect session timeout in configs without session cache.

Maxim Dounin mdounin at mdounin.ru
Thu Oct 10 12:48:58 UTC 2013 

Hello!

On Wed, Oct 09, 2013 at 02:21:08PM -0700, Piotr Sikora wrote:

> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1381353349 25200
> #      Wed Oct 09 14:15:49 2013 -0700
> # Node ID 6d1d1c6d346839d3ccdca92cee32bc9887c19841
> # Parent  5483d9e77b3287b00b1104a07688bda37bc7351e
> SSL: respect session timeout in configs without session cache.
> 
> Previously, session timeout value was used only when session cache
> was configured, which meant that in configurations without it,
> Session Tickets would always get 5 minutes timeout hint, regardless
> of the configured session timeout.
> 
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
> 
> diff -r 5483d9e77b32 -r 6d1d1c6d3468 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c     Wed Oct 02 15:07:17 2013 +0400
> +++ b/src/event/ngx_event_openssl.c     Wed Oct 09 14:15:49 2013 -0700
> @@ -1700,7 +1700,7 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_
> 
>  ngx_int_t
>  ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
> -    ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
> +    ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone)
>  {
>      long  cache_mode;
> 
> @@ -1749,8 +1749,6 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ng
>          }
>      }
> 
> -    SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
> -
>      if (shm_zone) {
>          SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
>          SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);

[...]

I don't see a real reason for the API change, and direct use of 
SSL_CTX_set_timeout() in http/mail ssl modules.  What about this 
instead:

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1704,6 +1704,8 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl,
 {
     long  cache_mode;
 
+    SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
+
     if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
         SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
         return NGX_OK;
@@ -1749,8 +1751,6 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl,
         }
     }
 
-    SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
-
     if (shm_zone) {
         SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
         SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);


?

-- 
Maxim Dounin
http://nginx.org/en/donation.html

More information about the nginx-devel mailing list