You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/04/08 19:02:25 UTC
[jira] [Updated] (TS-3687) ATS Session Cache table never removes
expired sessions
[ https://issues.apache.org/jira/browse/TS-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-3687:
------------------------------
Fix Version/s: (was: 6.2.0)
sometime
> ATS Session Cache table never removes expired sessions
> ------------------------------------------------------
>
> Key: TS-3687
> URL: https://issues.apache.org/jira/browse/TS-3687
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Susan Hinrichs
> Assignee: Susan Hinrichs
> Fix For: sometime
>
>
> While this sounds bad, it is only a performance issue. It is not a security issue. Openssl will not allow the expired sessions to be used.
> Here are the details.
> When you use the ATS version of the ssl session cache, ATS registers
> callbacks to handle creating new sessions, getting existing sessions,
> and removing old sessions. While debugging the new session plugin API,
> I saw that the new sessions and get session callbacks were being
> triggered but the remove session callback was never being triggered.
> At first I was concerned that we were never removing sessions from the
> cache and reusing them forever. I poked through the openssl 1.0.1 (and
> briefly the 1.0.2) code and set some break points, and verified that the
> stale sessions are being rejected but the code only tries to remove it
> from the openssl internal cache implementation (which failed and so the
> remove callback was never triggered).
> So I think this is only a performance problem. The old session cache is
> never removed from the ATS session cache until we run out of space and
> the old values are evicted.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)