diff --git a/doc/configuration.txt b/doc/configuration.txt index 5c15d6a880..fb16c7f1a9 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -887,7 +887,8 @@ tune.ssl.cachesize and reassigned. Higher values reduce the occurrence of such a purge, hence the number of CPU-intensive SSL handshakes by ensuring that all users keep their session as long as possible. All entries are pre-allocated upon startup - and are shared between all processes if "nbproc" is greater than 1. + and are shared between all processes if "nbproc" is greater than 1. Setting + this value to 0 disables the SSL session cache. tune.ssl.lifetime Sets how long a cached SSL session may remain valid. This time is expressed diff --git a/include/proto/shctx.h b/include/proto/shctx.h index a09c38c4b7..a84e4a6773 100644 --- a/include/proto/shctx.h +++ b/include/proto/shctx.h @@ -24,10 +24,6 @@ #define SHSESS_MAX_DATA_LEN 4096 #endif -#ifndef SHCTX_DEFAULT_SIZE -#define SHCTX_DEFAULT_SIZE 20000 -#endif - #ifndef SHCTX_APPNAME #define SHCTX_APPNAME "haproxy" #endif @@ -35,7 +31,7 @@ /* Allocate shared memory context. * is the number of allocated blocks into cache (default 128 bytes) * A block is large enough to contain a classic session (without client cert) - * If is set less or equal to 0, SHCTX_DEFAULT_SIZE is used. + * If is set less or equal to 0, ssl cache is disabled. * Set to 1 to use a mapped shared memory instead * of private. (ignored if compiled with USE_PRIVATE_CACHE=1). * Returns: -1 on alloc failure, if it performs context alloc, diff --git a/src/shctx.c b/src/shctx.c index 457aedbd27..151b68a493 100644 --- a/src/shctx.c +++ b/src/shctx.c @@ -499,7 +499,7 @@ void shctx_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess) /* Allocate shared memory context. * is maximum cached sessions. - * If is set to less or equal to 0, SHCTX_DEFAULT_SIZE is used. + * If is set to less or equal to 0, ssl cache is disabled. * Returns: -1 on alloc failure, if it performs context alloc, * and 0 if cache is already allocated. */ @@ -518,7 +518,7 @@ int shared_context_init(int size, int shared) return 0; if (size<=0) - size = SHCTX_DEFAULT_SIZE; + return 0; /* Increate size by one to reserve one node for lookup */ size++; @@ -579,15 +579,17 @@ int shared_context_init(int size, int shared) * Shared context MUST be firstly initialized */ void shared_context_set_cache(SSL_CTX *ctx) { + SSL_CTX_set_session_id_context(ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME)); + + if (!shctx) { + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + return; + } + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL | SSL_SESS_CACHE_NO_AUTO_CLEAR); - SSL_CTX_set_session_id_context(ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME)); - - if (!shctx) - return; - /* Set callbacks */ SSL_CTX_sess_set_new_cb(ctx, shctx_new_cb); SSL_CTX_sess_set_get_cb(ctx, shctx_get_cb);