From 1442b1bd0aab99eea8b3b664241e2c9854931d30 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 31 Mar 2015 00:42:21 +0900
Subject: [PATCH] nghttpx: Remove --tls-ctx-per-worker option

--tls-ctx-per-worker option does not work well of OCSP stapling.  Also
it makes session ID useless.
---
 src/shrpx.cc                    | 18 +-----------------
 src/shrpx_config.cc             |  7 -------
 src/shrpx_config.h              |  2 --
 src/shrpx_connection_handler.cc | 18 +++---------------
 4 files changed, 4 insertions(+), 41 deletions(-)

diff --git a/src/shrpx.cc b/src/shrpx.cc
index ed7e79a8..9273f7e9 100644
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -919,7 +919,6 @@ void fill_default_config() {
   mod_config()->downstream_connections_per_host = 8;
   mod_config()->downstream_connections_per_frontend = 0;
   mod_config()->listener_disable_timeout = 0.;
-  mod_config()->tls_ctx_per_worker = false;
   mod_config()->downstream_request_buffer_size = 16 * 1024;
   mod_config()->downstream_response_buffer_size = 16 * 1024;
   mod_config()->no_server_push = false;
@@ -1197,14 +1196,6 @@ SSL/TLS:
               while  opening  or  reading  a file,  key  is  generated
               automatically and  renewed every 12hrs.  At  most 2 keys
               are stored in memory.
-  --tls-ctx-per-worker
-              Create OpenSSL's SSL_CTX per worker, so that no internal
-              locking is required.  This  may improve scalability with
-              multi  threaded   configuration.   If  this   option  is
-              enabled, session ID is  no longer shared accross SSL_CTX
-              objects, which means session  ID generated by one worker
-              is not acceptable by another worker.  On the other hand,
-              session ticket key is shared across all worker threads.
   --fetch-ocsp-response-file=<PATH>
               Path to  fetch-ocsp-response script file.  It  should be
               absolute path.
@@ -1838,10 +1829,6 @@ int main(int argc, char **argv) {
         // --rlimit-nofile
         cmdcfgs.emplace_back(SHRPX_OPT_RLIMIT_NOFILE, optarg);
         break;
-      case 70:
-        // --tls-ctx-per-worker
-        cmdcfgs.emplace_back(SHRPX_OPT_TLS_CTX_PER_WORKER, "yes");
-        break;
       case 71:
         // --backend-response-buffer
         cmdcfgs.emplace_back(SHRPX_OPT_BACKEND_RESPONSE_BUFFER, optarg);
@@ -1916,10 +1903,7 @@ int main(int argc, char **argv) {
   }
 
 #ifndef NOTHREADS
-  std::unique_ptr<nghttp2::ssl::LibsslGlobalLock> lock;
-  if (!get_config()->tls_ctx_per_worker) {
-    lock = make_unique<nghttp2::ssl::LibsslGlobalLock>();
-  }
+  auto lock = make_unique<nghttp2::ssl::LibsslGlobalLock>();
 #endif // NOTHREADS
 
   if (get_config()->accesslog_syslog || get_config()->errorlog_syslog) {
diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc
index fb2ad994..2fc93ec9 100644
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -142,7 +142,6 @@ const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[] =
 const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[] = "listener-disable-timeout";
 const char SHRPX_OPT_TLS_TICKET_KEY_FILE[] = "tls-ticket-key-file";
 const char SHRPX_OPT_RLIMIT_NOFILE[] = "rlimit-nofile";
-const char SHRPX_OPT_TLS_CTX_PER_WORKER[] = "tls-ctx-per-worker";
 const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[] = "backend-request-buffer";
 const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[] = "backend-response-buffer";
 const char SHRPX_OPT_NO_SERVER_PUSH[] = "no-server-push";
@@ -1186,12 +1185,6 @@ int parse_config(const char *opt, const char *optarg) {
     return 0;
   }
 
-  if (util::strieq(opt, SHRPX_OPT_TLS_CTX_PER_WORKER)) {
-    mod_config()->tls_ctx_per_worker = util::strieq(optarg, "yes");
-
-    return 0;
-  }
-
   if (util::strieq(opt, SHRPX_OPT_NO_SERVER_PUSH)) {
     mod_config()->no_server_push = util::strieq(optarg, "yes");
 
diff --git a/src/shrpx_config.h b/src/shrpx_config.h
index 8a6a2649..d3c46a5b 100644
--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@@ -132,7 +132,6 @@ extern const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[];
 extern const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[];
 extern const char SHRPX_OPT_TLS_TICKET_KEY_FILE[];
 extern const char SHRPX_OPT_RLIMIT_NOFILE[];
-extern const char SHRPX_OPT_TLS_CTX_PER_WORKER[];
 extern const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[];
 extern const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[];
 extern const char SHRPX_OPT_NO_SERVER_PUSH[];
@@ -325,7 +324,6 @@ struct Config {
   bool upstream_frame_debug;
   bool no_location_rewrite;
   bool no_host_rewrite;
-  bool tls_ctx_per_worker;
   bool no_server_push;
   // true if host contains UNIX domain socket path
   bool host_unix;
diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc
index 0adac5a7..87bf9336 100644
--- a/src/shrpx_connection_handler.cc
+++ b/src/shrpx_connection_handler.cc
@@ -123,25 +123,13 @@ void ConnectionHandler::create_worker_thread(size_t num) {
 #ifndef NOTHREADS
   assert(workers_.size() == 0);
 
-  SSL_CTX *sv_ssl_ctx = nullptr, *cl_ssl_ctx = nullptr;
-  ssl::CertLookupTree *cert_tree = nullptr;
-
-  if (!get_config()->tls_ctx_per_worker) {
-    cert_tree = ssl::create_cert_lookup_tree();
-    sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree);
-    cl_ssl_ctx = ssl::setup_client_ssl_context();
-  }
+  auto cert_tree = ssl::create_cert_lookup_tree();
+  auto sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx_, cert_tree);
+  auto cl_ssl_ctx = ssl::setup_client_ssl_context();
 
   for (size_t i = 0; i < num; ++i) {
     auto loop = ev_loop_new(0);
 
-    if (get_config()->tls_ctx_per_worker) {
-      cert_tree = ssl::create_cert_lookup_tree();
-      std::vector<SSL_CTX *> all_ssl_ctx;
-      sv_ssl_ctx = ssl::setup_server_ssl_context(all_ssl_ctx, cert_tree);
-      cl_ssl_ctx = ssl::setup_client_ssl_context();
-    }
-
     auto worker = make_unique<Worker>(loop, sv_ssl_ctx, cl_ssl_ctx, cert_tree,
                                       ticket_keys_);
     worker->run_async();