You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2013/12/04 19:26:44 UTC
git commit: TS-2416: configurable TLS session timeout threshold
Updated Branches:
refs/heads/master fc3b25fe4 -> 439b504f1
TS-2416: configurable TLS session timeout threshold
Default is 300 seconds. It's good to be configurable so that
application can specify the threshold for the expiration of internal
session and session ticket.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/439b504f
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/439b504f
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/439b504f
Branch: refs/heads/master
Commit: 439b504f137fa4fa3d31506afd4ad8d3a631783f
Parents: fc3b25f
Author: Wei Sun <su...@yahoo-inc.com>
Authored: Wed Dec 4 10:20:31 2013 -0800
Committer: James Peach <jp...@apache.org>
Committed: Wed Dec 4 10:26:26 2013 -0800
----------------------------------------------------------------------
CHANGES | 5 ++++-
doc/reference/configuration/records.config.en.rst | 6 ++++++
iocore/net/P_SSLConfig.h | 1 +
iocore/net/SSLConfig.cc | 2 ++
iocore/net/SSLUtils.cc | 3 +++
mgmt/RecordsConfig.cc | 3 ++-
6 files changed, 18 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 94ccedb..504e1a0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,9 +2,12 @@
Changes with Apache Traffic Server 4.2.0
+ *) [TS-2416] Make TLS the session timeout threshold configurable.
+ Author: Wei Sun <su...@yahoo-inc.com>
+
*) [TS-2335] adding ts_lua plugin to experimental directory
- *) [TS-2347] buffer_upload uses unsafe function tempnam(). Replace it
+ *) [TS-2347] buffer_upload uses unsafe function tempnam(). Replace it
with mkstemp()
*) [TS-1815] Add thread number and port to accept thread name and
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/doc/reference/configuration/records.config.en.rst
----------------------------------------------------------------------
diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst
index fc17b3e..f95dfc8 100644
--- a/doc/reference/configuration/records.config.en.rst
+++ b/doc/reference/configuration/records.config.en.rst
@@ -1957,6 +1957,12 @@ SSL Termination
buffering at the SSL layer. The default of ``0`` means to always
write all available data into a single SSL record.
+.. ts:cv:: CONFIG proxy.config.ssl.session_cache.timeout INT 0
+
+ This configuration specifies the lifetime of SSL session cache
+ entries in seconds. If it is ``0``, then the SSL library will use
+ a default value, typically 300 seconds.
+
Client-Related Configuration
----------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index facfb25..b258b6c 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -66,6 +66,7 @@ struct SSLConfigParams : public ConfigInfo
int verify_depth;
int ssl_session_cache; // SSL_SESSION_CACHE_MODE
int ssl_session_cache_size;
+ int ssl_session_cache_timeout;
char * clientCertPath;
char * clientKeyPath;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 9c75fcc..72b7c42 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -64,6 +64,7 @@ SSLConfigParams::SSLConfigParams()
ssl_ctx_options = 0;
ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER;
ssl_session_cache_size = 1024*20;
+ ssl_session_cache_timeout = 0;
}
SSLConfigParams::~SSLConfigParams()
@@ -184,6 +185,7 @@ SSLConfigParams::initialize()
// SSL session cache configurations
REC_ReadConfigInteger(ssl_session_cache, "proxy.config.ssl.session_cache");
REC_ReadConfigInteger(ssl_session_cache_size, "proxy.config.ssl.session_cache.size");
+ REC_ReadConfigInteger(ssl_session_cache_timeout, "proxy.config.ssl.session_cache.timeout");
// SSL record size
REC_EstablishStaticConfigInt32(ssl_maxrecord, "proxy.config.ssl.max_record_size");
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 19f65b6..228870a 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -310,6 +310,9 @@ SSLInitServerContext(
case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
SSL_CTX_sess_set_cache_size(ctx, params->ssl_session_cache_size);
+ if (params->ssl_session_cache_timeout) {
+ SSL_CTX_set_timeout(ctx, params->ssl_session_cache_timeout);
+ }
break;
}
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/439b504f/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index cc4a74f..a54e018 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1275,7 +1275,8 @@ RecordElement RecordsConfig[] = {
,
{RECT_CONFIG, "proxy.config.ssl.max_record_size", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
-
+ {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL}
+ ,
//##############################################################################
//# ICP Configuration
//##############################################################################