diff --git a/platform/src/ssl_sess_ticket.cpp b/platform/src/ssl_sess_ticket.cpp index 4879247..44672d0 100644 --- a/platform/src/ssl_sess_ticket.cpp +++ b/platform/src/ssl_sess_ticket.cpp @@ -11,7 +11,7 @@ #include -#define STEK_NUM 2 +#define STEK_WINDOW_SIZE 2 #define STEK_SIZE 80 #define SEED_MAX_LEN 100 #define RAND_MAX_VALUE 256 @@ -102,13 +102,18 @@ static void stek_key_reset(struct sess_ticket_key * stek) static void ssl_stek_rotation_cb(evutil_socket_t fd, short what, void * arg) { - unsigned int i = 0; - struct sess_ticket_box * ticket = (struct sess_ticket_box *) arg; + unsigned int i=0, j=0; + struct sess_ticket_box * ticket = (struct sess_ticket_box *) arg; + struct sess_ticket_key** steks=NULL; set_stek_rand_seed(ticket->stek_rotation_seconds); pthread_rwlock_wrlock(&(ticket->stek_rwlock)); + steks=ticket->ticket_keys; for(i = 0; i < ticket->ticket_group_num; i ++) { - memcpy(&(ticket->ticket_keys[i][1]), &(ticket->ticket_keys[i][0]), STEK_SIZE); + for(j=1; jticket_keys[i][0])); } pthread_rwlock_unlock(&(ticket->stek_rwlock)); @@ -133,7 +138,7 @@ struct sess_ticket_box * sess_ticket_box_create(struct event_base * ev_base, uns pthread_rwlock_wrlock(&(ticket->stek_rwlock)); for(i = 0; i < stek_group_num; i++) { - ticket->ticket_keys[i] = ALLOC(struct sess_ticket_key, STEK_NUM); + ticket->ticket_keys[i] = ALLOC(struct sess_ticket_key, STEK_WINDOW_SIZE); stek_key_reset(&(ticket->ticket_keys[i][0])); } pthread_rwlock_unlock(&(ticket->stek_rwlock)); @@ -176,18 +181,16 @@ enum STEK_GET_RET sess_ticket_box_get_key_for_dec(struct sess_ticket_box * box, pthread_rwlock_rdlock(&(box->stek_rwlock)); steks=box->ticket_keys; stek_index=stek_get_idx_by_sni(sni, box->ticket_group_num); - - if (memcmp(key_name, steks[stek_index][0].name, 16) == 0) + int i=0; + for(i=0; istek_rwlock)); return ret; } diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 53a71f1..1c99d89 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -869,7 +869,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) } if(strlen(tls13_cipher)>0 && s_stream->ssl_max_version==TLS1_3_VERSION) { - SSL_CTX_set_ciphersuites(sslctx, tls13_cipher); + //SSL_CTX_set_ciphersuites(sslctx, tls13_cipher); } if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0 || @@ -881,6 +881,25 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_client_cert_cb(sslctx, ossl_client_cert_cb); + + if(mgr->no_sesscache) + { + SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_OFF); + } + else + { + SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_NO_INTERNAL); + /* session resuming based on remote endpoint address and port */ + sess = up_session_get(mgr->up_sess_cache, + (struct sockaddr *) &(s_stream->addr), s_stream->addrlen, chello->sni, + s_stream->ssl_min_version, s_stream->ssl_max_version); + if (sess) + { + ret=SSL_CTX_add_session(sslctx, sess); /* increments sess refcount */ + assert(ret==1); + SSL_SESSION_free(sess); + } + } ssl = SSL_new(sslctx); SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ if (!ssl) @@ -901,21 +920,6 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) /* lower memory footprint for idle connections */ SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS); - if(!mgr->no_sesscache) - { - if(ret == 0) - { - /* session resuming based on remote endpoint address and port */ - sess = up_session_get(mgr->up_sess_cache, - (struct sockaddr *) &(s_stream->addr), s_stream->addrlen, chello->sni, - s_stream->ssl_min_version, s_stream->ssl_max_version); - if (sess) - { - SSL_set_session(ssl, sess); /* increments sess refcount */ - SSL_SESSION_free(sess); - } - } - } s_stream->ssl=ssl; return ; }