diff --git a/src/shrpx.cc b/src/shrpx.cc index ed7e79a8..9273f7e9 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -919,7 +919,6 @@ void fill_default_config() { mod_config()->downstream_connections_per_host = 8; mod_config()->downstream_connections_per_frontend = 0; mod_config()->listener_disable_timeout = 0.; - mod_config()->tls_ctx_per_worker = false; mod_config()->downstream_request_buffer_size = 16 * 1024; mod_config()->downstream_response_buffer_size = 16 * 1024; mod_config()->no_server_push = false; @@ -1197,14 +1196,6 @@ SSL/TLS: while opening or reading a file, key is generated automatically and renewed every 12hrs. At most 2 keys are stored in memory. - --tls-ctx-per-worker - Create OpenSSL's SSL_CTX per worker, so that no internal - locking is required. This may improve scalability with - multi threaded configuration. If this option is - enabled, session ID is no longer shared accross SSL_CTX - objects, which means session ID generated by one worker - is not acceptable by another worker. On the other hand, - session ticket key is shared across all worker threads. --fetch-ocsp-response-file= Path to fetch-ocsp-response script file. It should be absolute path. @@ -1838,10 +1829,6 @@ int main(int argc, char **argv) { // --rlimit-nofile cmdcfgs.emplace_back(SHRPX_OPT_RLIMIT_NOFILE, optarg); break; - case 70: - // --tls-ctx-per-worker - cmdcfgs.emplace_back(SHRPX_OPT_TLS_CTX_PER_WORKER, "yes"); - break; case 71: // --backend-response-buffer cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_RESPONSE_BUFFER, optarg); @@ -1916,10 +1903,7 @@ int main(int argc, char **argv) { } #ifndef NOTHREADS - std::unique_ptr lock; - if (!get_config()->tls_ctx_per_worker) { - lock = make_unique(); - } + auto lock = make_unique(); #endif // NOTHREADS if (get_config()->accesslog_syslog || get_config()->errorlog_syslog) { diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index fb2ad994..2fc93ec9 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -142,7 +142,6 @@ const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[] = const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[] = "listener-disable-timeout"; const char SHRPX_OPT_TLS_TICKET_KEY_FILE[] = "tls-ticket-key-file"; const char SHRPX_OPT_RLIMIT_NOFILE[] = "rlimit-nofile"; -const char SHRPX_OPT_TLS_CTX_PER_WORKER[] = "tls-ctx-per-worker"; const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[] = "backend-request-buffer"; const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[] = "backend-response-buffer"; const char SHRPX_OPT_NO_SERVER_PUSH[] = "no-server-push"; @@ -1186,12 +1185,6 @@ int parse_config(const char *opt, const char *optarg) { return 0; } - if (util::strieq(opt, SHRPX_OPT_TLS_CTX_PER_WORKER)) { - mod_config()->tls_ctx_per_worker = util::strieq(optarg, "yes"); - - return 0; - } - if (util::strieq(opt, SHRPX_OPT_NO_SERVER_PUSH)) { mod_config()->no_server_push = util::strieq(optarg, "yes"); diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 8a6a2649..d3c46a5b 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -132,7 +132,6 @@ extern const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[]; extern const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[]; extern const char SHRPX_OPT_TLS_TICKET_KEY_FILE[]; extern const char SHRPX_OPT_RLIMIT_NOFILE[]; -extern const char SHRPX_OPT_TLS_CTX_PER_WORKER[]; extern const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[]; extern const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[]; extern const char SHRPX_OPT_NO_SERVER_PUSH[]; @@ -325,7 +324,6 @@ struct Config { bool upstream_frame_debug; bool no_location_rewrite; bool no_host_rewrite; - bool tls_ctx_per_worker; bool no_server_push; // true if host contains UNIX domain socket path bool host_unix; diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc index 0adac5a7..87bf9336 100644 --- a/src/shrpx_connection_handler.cc +++ b/src/shrpx_connection_handler.cc @@ -123,25 +123,13 @@ void ConnectionHandler::create_worker_thread(size_t num) { #ifndef NOTHREADS assert(workers_.size() == 0); - SSL_CTX *sv_ssl_ctx = nullptr, *cl_ssl_ctx = nullptr; - ssl::CertLookupTree *cert_tree = nullptr; - - if (!get_config()->tls_ctx_per_worker) { - cert_tree = ssl::create_cert_lookup_tree(); - sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree); - cl_ssl_ctx = ssl::setup_client_ssl_context(); - } + auto cert_tree = ssl::create_cert_lookup_tree(); + auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree); + auto cl_ssl_ctx = ssl::setup_client_ssl_context(); for (size_t i = 0; i < num; ++i) { auto loop = ev_loop_new(0); - if (get_config()->tls_ctx_per_worker) { - cert_tree = ssl::create_cert_lookup_tree(); - std::vector all_ssl_ctx; - sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx, cert_tree); - cl_ssl_ctx = ssl::setup_client_ssl_context(); - } - auto worker = make_unique(loop, sv_ssl_ctx, cl_ssl_ctx, cert_tree, ticket_keys_); worker->run_async();