RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: Setting global tune.ssl.cachesize value to 0 disables SSL session cache.

This commit is contained in:
Emeric Brun 2012-12-28 14:41:32 +01:00 committed by Willy Tarreau
parent ccbcc37a01
commit 22890a1225
3 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/configuration.txt
View File

@ -887,7 +887,8 @@ tune.ssl.cachesize <number>
and reassigned. Higher values reduce the occurrence of such a purge, hence
the number of CPU-intensive SSL handshakes by ensuring that all users keep
their session as long as possible. All entries are pre-allocated upon startup
and are shared between all processes if "nbproc" is greater than 1.
and are shared between all processes if "nbproc" is greater than 1. Setting
this value to 0 disables the SSL session cache.
tune.ssl.lifetime <timeout>
Sets how long a cached SSL session may remain valid. This time is expressed

6
include/proto/shctx.h
View File

@ -24,10 +24,6 @@
#define SHSESS_MAX_DATA_LEN 4096
#endif
#ifndef SHCTX_DEFAULT_SIZE
#define SHCTX_DEFAULT_SIZE 20000
#endif
#ifndef SHCTX_APPNAME
#define SHCTX_APPNAME "haproxy"
#endif
@ -35,7 +31,7 @@
/* Allocate shared memory context.
* <size> is the number of allocated blocks into cache (default 128 bytes)
* A block is large enough to contain a classic session (without client cert)
* If <size> is set less or equal to 0, SHCTX_DEFAULT_SIZE is used.
* If <size> is set less or equal to 0, ssl cache is disabled.
* Set <use_shared_memory> to 1 to use a mapped shared memory instead
* of private. (ignored if compiled with USE_PRIVATE_CACHE=1).
* Returns: -1 on alloc failure, <size> if it performs context alloc,

16
src/shctx.c
View File

@ -499,7 +499,7 @@ void shctx_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
/* Allocate shared memory context.
* <size> is maximum cached sessions.
* If <size> is set to less or equal to 0, SHCTX_DEFAULT_SIZE is used.
* If <size> is set to less or equal to 0, ssl cache is disabled.
* Returns: -1 on alloc failure, <size> if it performs context alloc,
* and 0 if cache is already allocated.
*/
@ -518,7 +518,7 @@ int shared_context_init(int size, int shared)
return 0;
if (size<=0)
size = SHCTX_DEFAULT_SIZE;
return 0;
/* Increate size by one to reserve one node for lookup */
size++;
@ -579,15 +579,17 @@ int shared_context_init(int size, int shared)
* Shared context MUST be firstly initialized */
void shared_context_set_cache(SSL_CTX *ctx)
{
SSL_CTX_set_session_id_context(ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME));
if (!shctx) {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
return;
}
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER |
SSL_SESS_CACHE_NO_INTERNAL |
SSL_SESS_CACHE_NO_AUTO_CLEAR);
SSL_CTX_set_session_id_context(ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME));
if (!shctx)
return;
/* Set callbacks */
SSL_CTX_sess_set_new_cb(ctx, shctx_new_cb);
SSL_CTX_sess_set_get_cb(ctx, shctx_get_cb);