Welcome! Log In Create A New Profile

Advanced

[PATCH 06 of 11] SSL: explicit clearing of expired sessions

Maxim Dounin
August 25, 2022 11:14PM
# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1661481952 -10800
# Fri Aug 26 05:45:52 2022 +0300
# Node ID d5c6eae914325fb6a9b19105fe09aecd04da21e2
# Parent e88baee178eed529c6170678e373f5e2e0883c37
SSL: explicit clearing of expired sessions.

This reduces lifetime of session keying material in server's memory, and
therefore can be beneficial from forward secrecy point of view.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -4025,6 +4025,8 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_

ngx_rbtree_delete(&cache->session_rbtree, node);

+ ngx_explicit_memzero(sess_id->session, sess_id->len);
+
#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#endif
@@ -4114,6 +4116,8 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx

ngx_rbtree_delete(&cache->session_rbtree, node);

+ ngx_explicit_memzero(sess_id->session, sess_id->len);
+
#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#endif
@@ -4162,6 +4166,8 @@ ngx_ssl_expire_sessions(ngx_ssl_session_

ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);

+ ngx_explicit_memzero(sess_id->session, sess_id->len);
+
#if (NGX_PTR_SIZE == 8)
ngx_slab_free_locked(shpool, sess_id->session);
#endif

_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org
Subject Author Views Posted

[PATCH 00 of 11] SSL session handling patches

Maxim Dounin 428 August 25, 2022 11:14PM

[PATCH 06 of 11] SSL: explicit clearing of expired sessions

Maxim Dounin 59 August 25, 2022 11:14PM

[PATCH 04 of 11] SSL: explicit session id length checking

Maxim Dounin 59 August 25, 2022 11:14PM

Re: [PATCH 04 of 11] SSL: explicit session id length checking

Sergey Kandaurov 55 September 15, 2022 01:42AM

Re: [PATCH 04 of 11] SSL: explicit session id length checking

Maxim Dounin 58 September 16, 2022 05:04PM

Re: [PATCH 04 of 11] SSL: explicit session id length checking

Sergey Kandaurov 66 September 26, 2022 06:14AM

[PATCH 08 of 11] SSL: renamed session ticket key type

Maxim Dounin 56 August 25, 2022 11:14PM

[PATCH 10 of 11] SSL: shorter debug messages about session tickets

Maxim Dounin 54 August 25, 2022 11:14PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 77
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready