From adec2c06bf72f44da109219102374bf25a6919e0 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 24 Jul 2015 23:59:19 +0900 Subject: [PATCH] nghttpx: Set SSL/TLS session timeout to 12 hours --- src/shrpx.cc | 11 ++++++++--- src/shrpx_config.h | 1 + src/shrpx_ssl.cc | 1 + 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index c17f604e..01d15205 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -643,15 +643,19 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) { // possible problem when one worker encrypt new key, but one worker, // which did not take the that key yet, and cannot decrypt it. // - // We keep keys for 12 hours. Thus the maximum ticket vector size - // is 12 + 1. + // We keep keys for get_config()->tls_session_timeout seconds. The + // default is 12 hours. Thus the maximum ticket vector size is 12. if (old_ticket_keys) { auto &old_keys = old_ticket_keys->keys; auto &new_keys = ticket_keys->keys; assert(!old_keys.empty()); - new_keys.resize(std::min(12ul, old_keys.size() + 1)); + auto max_tickets = + static_cast(std::chrono::duration_cast( + get_config()->tls_session_timeout).count()); + + new_keys.resize(std::min(max_tickets, old_keys.size() + 1)); std::copy_n(std::begin(old_keys), new_keys.size() - 1, std::begin(new_keys) + 1); } else { @@ -1016,6 +1020,7 @@ void fill_default_config() { mod_config()->downstream_addr_group_catch_all = 0; mod_config()->tls_ticket_cipher = EVP_aes_128_cbc(); mod_config()->tls_ticket_cipher_given = false; + mod_config()->tls_session_timeout = std::chrono::hours(12); } } // namespace diff --git a/src/shrpx_config.h b/src/shrpx_config.h index 749c7399..9f0e52f8 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -253,6 +253,7 @@ struct Config { std::vector tls_proto_list; // binary form of http proxy host and port sockaddr_union downstream_http_proxy_addr; + std::chrono::seconds tls_session_timeout; ev_tstamp http2_upstream_read_timeout; ev_tstamp upstream_read_timeout; ev_tstamp upstream_write_timeout; diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 2d4635cd..0681888e 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -346,6 +346,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const unsigned char sid_ctx[] = "shrpx"; SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1); SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER); + SSL_CTX_set_timeout(ssl_ctx, get_config()->tls_session_timeout.count()); const char *ciphers; if (get_config()->ciphers) {