walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

nghttpx: Set SSL/TLS session timeout to 12 hours

This commit is contained in:
Tatsuhiro Tsujikawa 2015-07-24 23:59:19 +09:00
parent 6c8243f6d2
commit adec2c06bf
3 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/shrpx.cc
View File

@ -643,15 +643,19 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) {
// possible problem when one worker encrypt new key, but one worker, // possible problem when one worker encrypt new key, but one worker,
// which did not take the that key yet, and cannot decrypt it. // which did not take the that key yet, and cannot decrypt it.
// //
// We keep keys for 12 hours. Thus the maximum ticket vector size // We keep keys for get_config()->tls_session_timeout seconds. The
// is 12 + 1. // default is 12 hours. Thus the maximum ticket vector size is 12.
if (old_ticket_keys) { if (old_ticket_keys) {
auto &old_keys = old_ticket_keys->keys; auto &old_keys = old_ticket_keys->keys;
auto &new_keys = ticket_keys->keys; auto &new_keys = ticket_keys->keys;
assert(!old_keys.empty()); assert(!old_keys.empty());
new_keys.resize(std::min(12ul, old_keys.size() + 1)); auto max_tickets =
static_cast<size_t>(std::chrono::duration_cast<std::chrono::hours>(
get_config()->tls_session_timeout).count());
new_keys.resize(std::min(max_tickets, old_keys.size() + 1));
std::copy_n(std::begin(old_keys), new_keys.size() - 1, std::copy_n(std::begin(old_keys), new_keys.size() - 1,
std::begin(new_keys) + 1); std::begin(new_keys) + 1);
} else { } else {
@ -1016,6 +1020,7 @@ void fill_default_config() {
mod_config()->downstream_addr_group_catch_all = 0; mod_config()->downstream_addr_group_catch_all = 0;
mod_config()->tls_ticket_cipher = EVP_aes_128_cbc(); mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
mod_config()->tls_ticket_cipher_given = false; mod_config()->tls_ticket_cipher_given = false;
mod_config()->tls_session_timeout = std::chrono::hours(12);
} }
} // namespace } // namespace

1
src/shrpx_config.h
View File

@ -253,6 +253,7 @@ struct Config {
std::vector<std::string> tls_proto_list; std::vector<std::string> tls_proto_list;
// binary form of http proxy host and port // binary form of http proxy host and port
sockaddr_union downstream_http_proxy_addr; sockaddr_union downstream_http_proxy_addr;
std::chrono::seconds tls_session_timeout;
ev_tstamp http2_upstream_read_timeout; ev_tstamp http2_upstream_read_timeout;
ev_tstamp upstream_read_timeout; ev_tstamp upstream_read_timeout;
ev_tstamp upstream_write_timeout; ev_tstamp upstream_write_timeout;

1
src/shrpx_ssl.cc
View File

@ -346,6 +346,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file,
const unsigned char sid_ctx[] = "shrpx"; const unsigned char sid_ctx[] = "shrpx";
SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1); SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER); SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
SSL_CTX_set_timeout(ssl_ctx, get_config()->tls_session_timeout.count());
const char *ciphers; const char *ciphers;
if (get_config()->ciphers) { if (get_config()->ciphers) {