nghttpx: Set SSL/TLS session timeout to 12 hours

2015-07-24 23:59:19 +09:00 · 2015-07-24 23:59:19 +09:00 · adec2c06bf
parent 6c8243f6d2
commit adec2c06bf
3 changed files with 10 additions and 3 deletions
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@ -643,15 +643,19 @@ void renew_ticket_key_cb(struct ev_loop *loop, ev_timer *w, int revents) {
  // possible problem when one worker encrypt new key, but one worker,
  // which did not take the that key yet, and cannot decrypt it.
  //
-  // We keep keys for 12 hours.  Thus the maximum ticket vector size
-  // is 12 + 1.
+  // We keep keys for get_config()->tls_session_timeout seconds.  The
+  // default is 12 hours.  Thus the maximum ticket vector size is 12.
  if (old_ticket_keys) {
    auto &old_keys = old_ticket_keys->keys;
    auto &new_keys = ticket_keys->keys;

    assert(!old_keys.empty());

-    new_keys.resize(std::min(12ul, old_keys.size() + 1));
+    auto max_tickets =
+        static_cast<size_t>(std::chrono::duration_cast<std::chrono::hours>(
+                                get_config()->tls_session_timeout).count());
+
+    new_keys.resize(std::min(max_tickets, old_keys.size() + 1));
    std::copy_n(std::begin(old_keys), new_keys.size() - 1,
                std::begin(new_keys) + 1);
  } else {
@ -1016,6 +1020,7 @@ void fill_default_config() {
  mod_config()->downstream_addr_group_catch_all = 0;
  mod_config()->tls_ticket_cipher = EVP_aes_128_cbc();
  mod_config()->tls_ticket_cipher_given = false;
+  mod_config()->tls_session_timeout = std::chrono::hours(12);
 }
 } // namespace

--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@ -253,6 +253,7 @@ struct Config {
  std::vector<std::string> tls_proto_list;
  // binary form of http proxy host and port
  sockaddr_union downstream_http_proxy_addr;
+  std::chrono::seconds tls_session_timeout;
  ev_tstamp http2_upstream_read_timeout;
  ev_tstamp upstream_read_timeout;
  ev_tstamp upstream_write_timeout;
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@ -346,6 +346,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file,
  const unsigned char sid_ctx[] = "shrpx";
  SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
  SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
+  SSL_CTX_set_timeout(ssl_ctx, get_config()->tls_session_timeout.count());

  const char *ciphers;
  if (get_config()->ciphers) {