[TLS] server.feature-flags "ssl.session-cache"
disabled by default, but can be enabled (session tickets should be preferred) applies to mod_openssl, mod_wolfssl, mod_nss session cache is not currently implemented in mod_mbedtls or mod_gnutls
This commit is contained in:
parent
1d27391c29
commit
31fc3a0773
|
@ -9,7 +9,8 @@
|
|||
*
|
||||
* Note: If session tickets are -not- disabled with
|
||||
* ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket")
|
||||
* mod_gnutls rotates server ticket encryption key (STEK) every 24 hours.
|
||||
* mod_gnutls rotates server ticket encryption key (STEK) every 18 hours.
|
||||
* (https://gnutls.org/manual/html_node/Session-resumption.html)
|
||||
* This is fine for use with a single lighttpd instance, but with multiple
|
||||
* lighttpd workers, no coordinated STEK (server ticket encryption key)
|
||||
* rotation occurs unless ssl.stek-file is defined and maintained (preferred),
|
||||
|
@ -21,10 +22,15 @@
|
|||
* resumption, since clients have a lower chance for future connections to
|
||||
* reach the same lighttpd worker. However, things will still work, and a new
|
||||
* session will be created if session resumption fails. Admins should plan to
|
||||
* restart lighttpd at least every 24 hours if session tickets are enabled and
|
||||
* restart lighttpd at least every 18 hours if session tickets are enabled and
|
||||
* multiple lighttpd workers are configured. Since that is likely disruptive,
|
||||
* if multiple lighttpd workers are configured, ssl.stek-file should be
|
||||
* defined and the file maintained externally.
|
||||
*
|
||||
* future possible enhancements to lighttpd mod_gnutls:
|
||||
* - session cache (though session tickets are implemented)
|
||||
* See gnutls_db_set_store_function() and gnutls_db_set_retrieve_function()
|
||||
* (and do not enable unless server.feature-flags ssl.session-cache enabled)
|
||||
*/
|
||||
#include "first.h"
|
||||
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
* future possible enhancements to lighttpd mod_mbedtls:
|
||||
* - session cache (though session tickets are implemented)
|
||||
* sample code in mbedtls:programs/ssl/ssl_server2.c
|
||||
* (and do not enable unless server.feature-flags ssl.session-cache enabled)
|
||||
*
|
||||
* Note: If session tickets are -not- disabled with
|
||||
* ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket")
|
||||
|
|
|
@ -1546,6 +1546,14 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
|
|||
{
|
||||
UNUSED(p);
|
||||
|
||||
const int disable_sess_cache =
|
||||
srv->srvconf.feature_flags
|
||||
&& !config_plugin_value_tobool(
|
||||
array_get_element_klen(srv->srvconf.feature_flags,
|
||||
CONST_STR_LEN("ssl.session-cache")), 0);
|
||||
if (!disable_sess_cache) /* undo disable from mod_nss_init_once_nss() */
|
||||
SSL_OptionSetDefault(SSL_NO_CACHE, PR_FALSE);
|
||||
|
||||
/* use PR_CreateSocketPollFd() for dummy;
|
||||
* PR_CreateIOLayerStub() was resulting in crashes
|
||||
* when SSL_ImportFD() attempted ssl_DefGetpeername() */
|
||||
|
|
|
@ -2089,10 +2089,17 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
|
|||
return -1;
|
||||
}
|
||||
|
||||
/* disable session cache; session tickets are preferred */
|
||||
SSL_CTX_set_session_cache_mode(s->ssl_ctx, SSL_SESS_CACHE_OFF
|
||||
| SSL_SESS_CACHE_NO_AUTO_CLEAR
|
||||
| SSL_SESS_CACHE_NO_INTERNAL);
|
||||
const int disable_sess_cache =
|
||||
srv->srvconf.feature_flags
|
||||
&& !config_plugin_value_tobool(
|
||||
array_get_element_klen(srv->srvconf.feature_flags,
|
||||
CONST_STR_LEN("ssl.session-cache")), 0);
|
||||
if (disable_sess_cache)
|
||||
/* disable session cache; session tickets are preferred */
|
||||
SSL_CTX_set_session_cache_mode(s->ssl_ctx,
|
||||
SSL_SESS_CACHE_OFF
|
||||
| SSL_SESS_CACHE_NO_AUTO_CLEAR
|
||||
| SSL_SESS_CACHE_NO_INTERNAL);
|
||||
|
||||
if (s->ssl_empty_fragments) {
|
||||
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||||
|
|
|
@ -1835,10 +1835,17 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
|
|||
}
|
||||
|
||||
#if !defined(NO_SESSION_CACHE)
|
||||
/* disable session cache; session tickets are preferred */
|
||||
SSL_CTX_set_session_cache_mode(s->ssl_ctx, SSL_SESS_CACHE_OFF
|
||||
| SSL_SESS_CACHE_NO_AUTO_CLEAR
|
||||
| SSL_SESS_CACHE_NO_INTERNAL);
|
||||
const int disable_sess_cache =
|
||||
srv->srvconf.feature_flags
|
||||
&& !config_plugin_value_tobool(
|
||||
array_get_element_klen(srv->srvconf.feature_flags,
|
||||
CONST_STR_LEN("ssl.session-cache")), 0);
|
||||
if (disable_sess_cache)
|
||||
/* disable session cache; session tickets are preferred */
|
||||
SSL_CTX_set_session_cache_mode(s->ssl_ctx,
|
||||
SSL_SESS_CACHE_OFF
|
||||
| SSL_SESS_CACHE_NO_AUTO_CLEAR
|
||||
| SSL_SESS_CACHE_NO_INTERNAL);
|
||||
#endif
|
||||
|
||||
if (s->ssl_empty_fragments) {
|
||||
|
|
Loading…
Reference in New Issue