Welcome! Log In Create A New Profile

Advanced

[PATCH] SSL: raised limit for upstream session size

Previous Message Next Message
Forum List Message List New Topic Print View
Sergey Kandaurov
December 22, 2023 09:30AM
# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1703255284 -14400
# Fri Dec 22 18:28:04 2023 +0400
# Node ID a463fb67e143c051fd373d1df94e5813a37d5cea
# Parent 44266e0651c44f530c4aa66e68c1b9464a9acee7
SSL: raised limit for upstream session size.

Unlike shared session cache used to store multiple client SSL sessions and
which may be per a single SSL connection, sessions saved from upstream are
per upstream server peer, so there is no such multiplier effect, but they
may be of noticeably larger size due to session tickets being used.

It was observed that session tickets sent from JVM backends may result in
a decoded session size nearly the previous maximum session size limit of
4096 or slightly beyond. Raising the limit allows to save such sessions.

diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -137,7 +137,8 @@ struct ngx_ssl_connection_s {
#define NGX_SSL_DFLT_BUILTIN_SCACHE -5


-#define NGX_SSL_MAX_SESSION_SIZE 4096
+#define NGX_SSL_MAX_SESSION_SIZE 4096
+#define NGX_SSL_CLIENT_MAX_SESSION_SIZE 8192

typedef struct ngx_ssl_sess_id_s ngx_ssl_sess_id_t;

diff --git a/src/http/ngx_http_upstream_round_robin.c b/src/http/ngx_http_upstream_round_robin.c
--- a/src/http/ngx_http_upstream_round_robin.c
+++ b/src/http/ngx_http_upstream_round_robin.c
@@ -685,7 +685,7 @@ ngx_http_upstream_set_round_robin_peer_s
int len;
const u_char *p;
ngx_http_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+ u_char buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
#endif

peer = rrp->current;
@@ -747,7 +747,7 @@ ngx_http_upstream_save_round_robin_peer_
int len;
u_char *p;
ngx_http_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+ u_char buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
#endif

#if (NGX_HTTP_UPSTREAM_ZONE)
@@ -768,7 +768,7 @@ ngx_http_upstream_save_round_robin_peer_

/* do not cache too big session */

- if (len > NGX_SSL_MAX_SESSION_SIZE) {
+ if (len > NGX_SSL_CLIENT_MAX_SESSION_SIZE) {
return;
}

diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c
--- a/src/stream/ngx_stream_upstream_round_robin.c
+++ b/src/stream/ngx_stream_upstream_round_robin.c
@@ -717,7 +717,7 @@ ngx_stream_upstream_set_round_robin_peer
int len;
const u_char *p;
ngx_stream_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+ u_char buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
#endif

peer = rrp->current;
@@ -779,7 +779,7 @@ ngx_stream_upstream_save_round_robin_pee
int len;
u_char *p;
ngx_stream_upstream_rr_peers_t *peers;
- u_char buf[NGX_SSL_MAX_SESSION_SIZE];
+ u_char buf[NGX_SSL_CLIENT_MAX_SESSION_SIZE];
#endif

#if (NGX_STREAM_UPSTREAM_ZONE)
@@ -800,7 +800,7 @@ ngx_stream_upstream_save_round_robin_pee

/* do not cache too big session */

- if (len > NGX_SSL_MAX_SESSION_SIZE) {
+ if (len > NGX_SSL_CLIENT_MAX_SESSION_SIZE) {
return;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] SSL: raised limit for upstream session size

Sergey Kandaurov 267 December 22, 2023 09:30AM

Re: [PATCH] SSL: raised limit for upstream session size

Maxim Dounin 52 December 22, 2023 04:48PM

Re: [PATCH] SSL: raised limit for upstream session size

Sergey Kandaurov 66 December 25, 2023 03:32PM

Re: [PATCH] SSL: raised limit for upstream session size

Maxim Dounin 57 January 08, 2024 11:40PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 147
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready