details: https://hg.nginx.org/nginx/rev/026ee23b6774
branches:
changeset: 8074:026ee23b6774
user: Maxim Dounin <mdounin@mdounin.ru>
date: Wed Oct 12 20:14:34 2022 +0300
description:
SSL: disabled saving tickets to session cache.

OpenSSL tries to save TLSv1.3 sessions into session cache even when using
tickets for stateless session resumption, "because some applications just
want to know about the creation of a session". To avoid trashing session
cache with useless data, we do not save such sessions now.

diffstat:

src/event/ngx_event_openssl.c | 17 +++++++++++++++++
1 files changed, 17 insertions(+), 0 deletions(-)

diffs (27 lines):

diff -r aa663cc2a77d -r 026ee23b6774 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Sep 27 11:31:16 2022 +0400
+++ b/src/event/ngx_event_openssl.c Wed Oct 12 20:14:34 2022 +0300
@@ -3818,6 +3818,23 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
ngx_ssl_session_cache_t *cache;
u_char buf[NGX_SSL_MAX_SESSION_SIZE];

+#ifdef TLS1_3_VERSION
+
+ /*
+ * OpenSSL tries to save TLSv1.3 sessions into session cache
+ * even when using tickets for stateless session resumption,
+ * "because some applications just want to know about the creation
+ * of a session"; do not cache such sessions
+ */
+
+ if (SSL_version(ssl_conn) == TLS1_3_VERSION
+ && (SSL_get_options(ssl_conn) & SSL_OP_NO_TICKET) == 0)
+ {
+ return 0;
+ }
+
+#endif
+
len = i2d_SSL_SESSION(sess, NULL);

/* do not cache too big session */
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org