You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by sh...@apache.org on 2015/06/12 16:45:44 UTC

trafficserver git commit: TS-3687: ATS Session Cache should remove expired sessions. This closes #222.

Repository: trafficserver
Updated Branches:
  refs/heads/master cd9990a83 -> c8c9c4fa0


TS-3687: ATS Session Cache should remove expired sessions.  This closes #222.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/c8c9c4fa
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/c8c9c4fa
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/c8c9c4fa

Branch: refs/heads/master
Commit: c8c9c4fa0dad38552553b4235929a4f7ea8aa322
Parents: cd9990a
Author: shinrich <sh...@yahoo-inc.com>
Authored: Thu Jun 11 17:40:58 2015 -0500
Committer: shinrich <sh...@yahoo-inc.com>
Committed: Fri Jun 12 09:40:42 2015 -0500

----------------------------------------------------------------------
 CHANGES                |  2 ++
 iocore/net/SSLUtils.cc | 17 ++++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c8c9c4fa/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 834f7a0..f29cba1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 6.0.0
 
+  *) [TS-3687] ATS Session Cache should remove expired sessions.
+
   *) [TS-3453] Confusion of handling SSL events in write_to_net_io in UnixNetVConnection.cc
 
   *) [TS-3104] Fix lockfile logic which decides whether to kill process or group.

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/c8c9c4fa/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 2a31523..5b0bc4e 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -185,6 +185,12 @@ SSL_CTX_add_extra_chain_cert_file(SSL_CTX *ctx, const char *chainfile)
   return true;
 }
 
+bool ssl_session_timed_out(SSL_SESSION *session) 
+{
+  return SSL_SESSION_get_timeout(session) < (long)(time(NULL) - SSL_SESSION_get_time(session));
+}
+
+static void ssl_rm_cached_session(SSL_CTX *ctx, SSL_SESSION *sess);
 
 static SSL_SESSION *
 ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, int *copy)
@@ -201,10 +207,15 @@ ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, int *copy)
   SSL_SESSION *session = NULL;
 
   if (session_cache->getSession(sid, &session)) {
-    return session;
+    // Double check the timeout
+    if (session &&  ssl_session_timed_out(session)) {
+      // Due to bug in openssl, the timeout is checked, but only removed
+      // from the openssl built-in hash table.  The external remove cb is not called
+      ssl_rm_cached_session(SSL_get_SSL_CTX(ssl), session);
+      session = NULL;
+    }
   }
-
-  return NULL;
+  return session;
 }
 
 static int