[nginx] SSL: disabled saving tickets to session cache.

Sergey Kandaurov pluknet at nginx.com
Thu Oct 13 10:56:56 UTC 2022


details:   https://hg.nginx.org/nginx/rev/026ee23b6774
branches:  
changeset: 8074:026ee23b6774
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Wed Oct 12 20:14:34 2022 +0300
description:
SSL: disabled saving tickets to session cache.

OpenSSL tries to save TLSv1.3 sessions into session cache even when using
tickets for stateless session resumption, "because some applications just
want to know about the creation of a session".  To avoid trashing session
cache with useless data, we do not save such sessions now.

diffstat:

 src/event/ngx_event_openssl.c |  17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

diffs (27 lines):

diff -r aa663cc2a77d -r 026ee23b6774 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Tue Sep 27 11:31:16 2022 +0400
+++ b/src/event/ngx_event_openssl.c	Wed Oct 12 20:14:34 2022 +0300
@@ -3818,6 +3818,23 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
     ngx_ssl_session_cache_t  *cache;
     u_char                    buf[NGX_SSL_MAX_SESSION_SIZE];
 
+#ifdef TLS1_3_VERSION
+
+    /*
+     * OpenSSL tries to save TLSv1.3 sessions into session cache
+     * even when using tickets for stateless session resumption,
+     * "because some applications just want to know about the creation
+     * of a session"; do not cache such sessions
+     */
+
+    if (SSL_version(ssl_conn) == TLS1_3_VERSION
+        && (SSL_get_options(ssl_conn) & SSL_OP_NO_TICKET) == 0)
+    {
+        return 0;
+    }
+
+#endif
+
     len = i2d_SSL_SESSION(sess, NULL);
 
     /* do not cache too big session */



More information about the nginx-devel mailing list