[PATCH 01 of 11] SSL: disabled saving tickets to session cache
Maxim Dounin
mdounin at mdounin.ru
Fri Aug 26 03:01:08 UTC 2022
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1661481945 -10800
# Fri Aug 26 05:45:45 2022 +0300
# Node ID 2cd8fbeb4edc5a99b725585edc02a16a8a0c503e
# Parent 069a4813e8d6d7ec662d282a10f5f7062ebd817f
SSL: disabled saving tickets to session cache.
OpenSSL for TLSv1.3 tries to save tickets into session cache "because some
applications just want to know about the creation of a session". To avoid
trashing session cache with useless data, we do not save such sessions now.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3815,6 +3815,22 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
ngx_ssl_session_cache_t *cache;
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+#ifdef TLS1_3_VERSION
+
+ /*
+ * OpenSSL for TLSv1.3 tries to save tickets into session cache
+ * "because some applications just want to know about the creation
+ * of a session"; do not cache such sessions
+ */
+
+ if (SSL_version(ssl_conn) == TLS1_3_VERSION
+ && (SSL_get_options(ssl_conn) & SSL_OP_NO_TICKET) == 0)
+ {
+ return 0;
+ }
+
+#endif
+
len = i2d_SSL_SESSION(sess, NULL);
/* do not cache too big session */
More information about the nginx-devel
mailing list