gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

未开启session cache时,关闭upstream ssl的cahce,避免buffer event 报告999:invalid session id:20:SSL routines:369:tls_process_server_hello。

Browse Source
This commit is contained in:
zhengchao
2019-05-30 12:34:42 +08:00
parent 3339ffd533
commit 5cdad62fc7
2 changed files with 39 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
platform/src/ssl_sess_ticket.cpp
View File

@@ -11,7 +11,7 @@
#include <pthread.h> #include <pthread.h>
#define STEK_NUM 2 #define STEK_WINDOW_SIZE 2
#define STEK_SIZE 80 #define STEK_SIZE 80
#define SEED_MAX_LEN 100 #define SEED_MAX_LEN 100
#define RAND_MAX_VALUE 256 #define RAND_MAX_VALUE 256
@@ -102,13 +102,18 @@ static void stek_key_reset(struct sess_ticket_key * stek)
static void ssl_stek_rotation_cb(evutil_socket_t fd, short what, void * arg) static void ssl_stek_rotation_cb(evutil_socket_t fd, short what, void * arg)
{ {
unsigned int i = 0; unsigned int i=0, j=0;
struct sess_ticket_box * ticket = (struct sess_ticket_box *) arg; struct sess_ticket_box * ticket = (struct sess_ticket_box *) arg;
struct sess_ticket_key** steks=NULL;
set_stek_rand_seed(ticket->stek_rotation_seconds); set_stek_rand_seed(ticket->stek_rotation_seconds);
pthread_rwlock_wrlock(&(ticket->stek_rwlock)); pthread_rwlock_wrlock(&(ticket->stek_rwlock));
steks=ticket->ticket_keys;
for(i = 0; i < ticket->ticket_group_num; i ++) for(i = 0; i < ticket->ticket_group_num; i ++)
{ {
memcpy(&(ticket->ticket_keys[i][1]), &(ticket->ticket_keys[i][0]), STEK_SIZE); for(j=1; j<STEK_WINDOW_SIZE; j++)
{
steks[i][j]=steks[i][j-1];
}
stek_key_reset(&(ticket->ticket_keys[i][0])); stek_key_reset(&(ticket->ticket_keys[i][0]));
} }
pthread_rwlock_unlock(&(ticket->stek_rwlock)); pthread_rwlock_unlock(&(ticket->stek_rwlock));
@@ -133,7 +138,7 @@ struct sess_ticket_box * sess_ticket_box_create(struct event_base * ev_base, uns
pthread_rwlock_wrlock(&(ticket->stek_rwlock)); pthread_rwlock_wrlock(&(ticket->stek_rwlock));
for(i = 0; i < stek_group_num; i++) for(i = 0; i < stek_group_num; i++)
{ {
ticket->ticket_keys[i] = ALLOC(struct sess_ticket_key, STEK_NUM); ticket->ticket_keys[i] = ALLOC(struct sess_ticket_key, STEK_WINDOW_SIZE);
stek_key_reset(&(ticket->ticket_keys[i][0])); stek_key_reset(&(ticket->ticket_keys[i][0]));
} }
pthread_rwlock_unlock(&(ticket->stek_rwlock)); pthread_rwlock_unlock(&(ticket->stek_rwlock));
@@ -176,18 +181,16 @@ enum STEK_GET_RET sess_ticket_box_get_key_for_dec(struct sess_ticket_box * box,
pthread_rwlock_rdlock(&(box->stek_rwlock)); pthread_rwlock_rdlock(&(box->stek_rwlock));
steks=box->ticket_keys; steks=box->ticket_keys;
stek_index=stek_get_idx_by_sni(sni, box->ticket_group_num); stek_index=stek_get_idx_by_sni(sni, box->ticket_group_num);
int i=0;
if (memcmp(key_name, steks[stek_index][0].name, 16) == 0) for(i=0; i<STEK_WINDOW_SIZE; i++)
{ {
*result=steks[stek_index][0]; if (memcmp(key_name, steks[stek_index][i].name, 16) == 0)
ret = STEK_FOUND_FRESH; {
} *result=steks[stek_index][i];
else if(memcmp(key_name, steks[stek_index][1].name, 16) == 0) ret=(i==0?STEK_FOUND_FRESH:STEK_FOUND_STALED);
{ break;
*result=steks[stek_index][1]; }
ret = STEK_FOUND_STALED; }
}
pthread_rwlock_unlock(&(box->stek_rwlock)); pthread_rwlock_unlock(&(box->stek_rwlock));
return ret; return ret;
} }

36
platform/src/ssl_stream.cpp
View File

@@ -869,7 +869,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
} }
if(strlen(tls13_cipher)>0 && s_stream->ssl_max_version==TLS1_3_VERSION) if(strlen(tls13_cipher)>0 && s_stream->ssl_max_version==TLS1_3_VERSION)
{ {
SSL_CTX_set_ciphersuites(sslctx, tls13_cipher); //SSL_CTX_set_ciphersuites(sslctx, tls13_cipher);
} }
if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0 || if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0 ||
@@ -881,6 +881,25 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_client_cert_cb(sslctx, ossl_client_cert_cb); SSL_CTX_set_client_cert_cb(sslctx, ossl_client_cert_cb);
if(mgr->no_sesscache)
{
SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_OFF);
}
else
{
SSL_CTX_set_session_cache_mode(sslctx, SSL_SESS_CACHE_NO_INTERNAL);
/* session resuming based on remote endpoint address and port */
sess = up_session_get(mgr->up_sess_cache,
(struct sockaddr *) &(s_stream->addr), s_stream->addrlen, chello->sni,
s_stream->ssl_min_version, s_stream->ssl_max_version);
if (sess)
{
ret=SSL_CTX_add_session(sslctx, sess); /* increments sess refcount */
assert(ret==1);
SSL_SESSION_free(sess);
}
}
ssl = SSL_new(sslctx); ssl = SSL_new(sslctx);
SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ SSL_CTX_free(sslctx); /* SSL_new() increments refcount */
if (!ssl) if (!ssl)
@@ -901,21 +920,6 @@ static void upstream_ossl_init(struct ssl_stream* s_stream)
/* lower memory footprint for idle connections */ /* lower memory footprint for idle connections */
SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS); SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS);
if(!mgr->no_sesscache)
{
if(ret == 0)
{
/* session resuming based on remote endpoint address and port */
sess = up_session_get(mgr->up_sess_cache,
(struct sockaddr *) &(s_stream->addr), s_stream->addrlen, chello->sni,
s_stream->ssl_min_version, s_stream->ssl_max_version);
if (sess)
{
SSL_set_session(ssl, sess); /* increments sess refcount */
SSL_SESSION_free(sess);
}
}
}
s_stream->ssl=ssl; s_stream->ssl=ssl;
return ; return ;
} }