增加session cache的开关:no_session_cache,默认为0,即启用session cache。
This commit is contained in:
zhengchao
@@ -119,6 +119,7 @@ struct ssl_mgr
|
||||
unsigned int no_tls10;
|
||||
unsigned int no_tls11;
|
||||
unsigned int no_tls12;
|
||||
unsigned int no_sesscache;
|
||||
unsigned int no_sessticket;
|
||||
unsigned int no_alpn;
|
||||
unsigned int no_cert_verify;
|
||||
@@ -251,8 +252,11 @@ ssl_stream_gc_cb(evutil_socket_t fd, short what, void * arg)
|
||||
{
|
||||
struct ssl_mgr *mgr=(struct ssl_mgr *)arg;
|
||||
int i=0;
|
||||
ssl_sess_cache_stat(mgr->up_sess_cache, &(mgr->stat_val[SSL_UP_CACHE_SZ]), &(mgr->stat_val[SSL_UP_CACHE_QUERY]), &(mgr->stat_val[SSL_UP_CACHE_HIT]));
|
||||
ssl_sess_cache_stat(mgr->down_sess_cache, &(mgr->stat_val[SSL_DOWN_CACHE_SZ]), &(mgr->stat_val[SSL_DOWN_CACHE_QUERY]), &(mgr->stat_val[SSL_DOWN_CACHE_HIT]));
|
||||
if(!mgr->no_sesscache)
|
||||
{
|
||||
ssl_sess_cache_stat(mgr->up_sess_cache, &(mgr->stat_val[SSL_UP_CACHE_SZ]), &(mgr->stat_val[SSL_UP_CACHE_QUERY]), &(mgr->stat_val[SSL_UP_CACHE_HIT]));
|
||||
ssl_sess_cache_stat(mgr->down_sess_cache, &(mgr->stat_val[SSL_DOWN_CACHE_SZ]), &(mgr->stat_val[SSL_DOWN_CACHE_QUERY]), &(mgr->stat_val[SSL_DOWN_CACHE_HIT]));
|
||||
}
|
||||
struct key_keeper_stat keeper_stat;
|
||||
key_keeper_statistic(mgr->key_keeper, &keeper_stat);
|
||||
mgr->stat_val[KEY_KEEPER_ASK]=keeper_stat.ask_times;
|
||||
@@ -279,7 +283,7 @@ void ssl_stat_init(struct ssl_mgr * mgr)
|
||||
spec[SSL_UP_ERR_UNSUPPORT_PROTO]="ussl_e_prt";
|
||||
|
||||
spec[SSL_UP_CLOSING]="ussl_clsing";
|
||||
spec[SSL_UP_CLOSED]="ussl_clsed";
|
||||
spec[SSL_UP_CLOSED]="ussl_clsd";
|
||||
spec[SSL_UP_DIRTY_CLOSED]="ussl_dt_cls";
|
||||
spec[SSL_UP_CACHE_SZ]="usess_cache";
|
||||
spec[SSL_UP_CACHE_QUERY]="usess_query";
|
||||
@@ -290,7 +294,7 @@ void ssl_stat_init(struct ssl_mgr * mgr)
|
||||
spec[SSL_DOWN_ERR_NO_CERT]="dssl_e_cert";
|
||||
spec[SSL_DOWN_ERR_INAPPROPRIATE_FALLBACK]="dssl_e_fb";
|
||||
spec[SSL_DOWN_CLOSING]="dssl_clsing";
|
||||
spec[SSL_DOWN_CLOSED]="dssl_clsed";
|
||||
spec[SSL_DOWN_CLOSED]="dssl_clsd";
|
||||
spec[SSL_DOWN_DIRTY_CLOSED]="dssl_dt_cls";
|
||||
spec[SSL_DOWN_CACHE_SZ]="dsess_cache";
|
||||
spec[SSL_DOWN_CACHE_QUERY]="dcache_query";
|
||||
@@ -578,6 +582,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0);
|
||||
MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers,
|
||||
sizeof(mgr->default_ciphers), DFLT_CIPHERS);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_session_cache", &(mgr->no_sesscache), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_session_ticket", &(mgr->no_sessticket), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_alpn", &(mgr->no_alpn), 0);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "no_cert_verify", &(mgr->no_cert_verify), 0);
|
||||
@@ -587,9 +592,11 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
MESA_load_profile_uint_def(ini_profile, section, "session_cache_slots", &(mgr->cache_slots), 4 * 1024 * 1024);
|
||||
MESA_load_profile_uint_def(ini_profile, section, "session_cache_expire_seconds", &(mgr->sess_expire_seconds), 30 * 60);
|
||||
|
||||
mgr->up_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_UPSTREAM);
|
||||
mgr->down_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_DOWNSTREAM);
|
||||
|
||||
if(!mgr->no_sesscache)
|
||||
{
|
||||
mgr->up_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_UPSTREAM);
|
||||
mgr->down_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_DOWNSTREAM);
|
||||
}
|
||||
//Reference to NGINX: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
|
||||
//Support key rotation in futher.
|
||||
|
||||
@@ -816,20 +823,22 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello *
|
||||
struct sockaddr_storage addr;
|
||||
socklen_t addrlen = sizeof(struct sockaddr_storage);
|
||||
|
||||
ret = getpeername(fd, (struct sockaddr *) (&addr), &addrlen);
|
||||
if(ret == 0)
|
||||
if(!mgr->no_sesscache)
|
||||
{
|
||||
/* session resuming based on remote endpoint address and port */
|
||||
sess = up_session_get(mgr->up_sess_cache, (struct sockaddr *) &addr, addrlen, chello->sni);
|
||||
if (sess)
|
||||
ret = getpeername(fd, (struct sockaddr *) (&addr), &addrlen);
|
||||
if(ret == 0)
|
||||
{
|
||||
SSL_set_session(ssl, sess); /* increments sess refcount */
|
||||
SSL_SESSION_free(sess);
|
||||
/* session resuming based on remote endpoint address and port */
|
||||
sess = up_session_get(mgr->up_sess_cache, (struct sockaddr *) &addr, addrlen, chello->sni);
|
||||
if (sess)
|
||||
{
|
||||
SSL_set_session(ssl, sess); /* increments sess refcount */
|
||||
SSL_SESSION_free(sess);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
return ssl;
|
||||
}
|
||||
|
||||
@@ -1047,11 +1056,14 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
|
||||
}
|
||||
if(s_stream->is_peer_cert_verify_passed)
|
||||
{
|
||||
//ONLY verified session is cacheable.
|
||||
//The reference count of the SSL_SESSION is not incremented, so no need to free.
|
||||
ssl_sess = SSL_get0_session(s_stream->ssl);
|
||||
up_session_set(mgr->up_sess_cache, (struct sockaddr *)&(ctx->addr),
|
||||
ctx->addrlen, s_stream->client_hello->sni, ssl_sess);
|
||||
if(!mgr->no_sesscache)
|
||||
{
|
||||
//ONLY verified session is cacheable.
|
||||
//The reference count of the SSL_SESSION is not incremented, so no need to free.
|
||||
ssl_sess = SSL_get0_session(s_stream->ssl);
|
||||
up_session_set(mgr->up_sess_cache, (struct sockaddr *)&(ctx->addr),
|
||||
ctx->addrlen, s_stream->client_hello->sni, ssl_sess);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -1253,7 +1265,7 @@ static int ossl_sessnew_cb(SSL * ssl, SSL_SESSION * sess)
|
||||
|
||||
#endif /* HAVE_SSLV2 */
|
||||
|
||||
if (sess)
|
||||
if (sess && !mgr->no_sesscache)
|
||||
{
|
||||
down_session_set(mgr->down_sess_cache, sess);
|
||||
}
|
||||
@@ -1271,7 +1283,7 @@ static void ossl_sessremove_cb(SSL_CTX * sslctx, SSL_SESSION * sess)
|
||||
struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_CTX_get_ex_data(sslctx, SSL_EX_DATA_IDX_SSLMGR);
|
||||
assert(mgr != NULL);
|
||||
|
||||
if (sess)
|
||||
if (sess && !mgr->no_sesscache)
|
||||
{
|
||||
down_session_del(mgr->down_sess_cache, sess);
|
||||
}
|
||||
@@ -1286,10 +1298,12 @@ static void ossl_sessremove_cb(SSL_CTX * sslctx, SSL_SESSION * sess)
|
||||
static SSL_SESSION * ossl_sessget_cb(SSL * ssl, const unsigned char * id, int idlen, int * copy)
|
||||
{
|
||||
struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_SSLMGR);
|
||||
SSL_SESSION * sess;
|
||||
|
||||
*copy = 0; /* SSL should not increment reference count of session */
|
||||
sess = (SSL_SESSION *) down_session_get(mgr->down_sess_cache, id, idlen);
|
||||
SSL_SESSION * sess=NULL;
|
||||
if(!mgr->no_sesscache)
|
||||
{
|
||||
*copy = 0; /* SSL should not increment reference count of session */
|
||||
sess = (SSL_SESSION *) down_session_get(mgr->down_sess_cache, id, idlen);
|
||||
}
|
||||
return sess;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user