MINOR: ssl: Add tune.ssl.lifetime statement in global.

Sets the ssl session <lifetime> in seconds. Openssl default is 300 seconds.
2025-02-12 08:27:24 +00:00 · 2012-11-16 15:11:00 +01:00 · 2012-11-16 15:11:00 +01:00 · 4f65bff1a5
commit 4f65bff1a5
parent 6ec58dbacc
4 changed files with 35 additions and 0 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -860,6 +860,14 @@ tune.ssl.cachesize <number>
  allocated upon startup and are shared between all processes if "nbproc" is
  greater than 1.

+tune.ssl.lifetime <timeout>
+  Sets how long a cached SSL session may remain valid. This time is expressed
+  in seconds and defaults to 300 (5 mn). It is important to understand that it
+  does not guarantee that sessions will last that long, because if the cache is
+  full, the longest idle sessions will be purged despite their configured
+  lifetime. The real usefulness of this setting is to prevent sessions from
+  being used for too long.
+
 tune.zlib.memlevel <number>
  Sets the memLevel parameter in zlib initialization for each session. It
  defines how much memory should be allocated for the intenal compression
--- a/include/types/global.h
+++ b/include/types/global.h
@ -114,6 +114,7 @@ struct global {
 		int max_http_hdr;  /* max number of HTTP headers, use MAX_HTTP_HDR if zero */
 #ifdef USE_OPENSSL
 		int sslcachesize;  /* SSL cache size in session, defaults to 20000 */
+		unsigned int ssllifetime;   /* SSL session lifetime in seconds */
 #endif
 #ifdef USE_ZLIB
 		int zlibmemlevel;    /* zlib memlevel */
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -571,6 +571,26 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 		}
 		global.tune.sslcachesize = atol(args[1]);
 	}
+	else if (!strcmp(args[0], "tune.ssl.lifetime")) {
+		unsigned int ssllifetime;
+		const char *res;
+
+		if (*(args[1]) == 0) {
+			Alert("parsing [%s:%d] : '%s' expects ssl sessions <lifetime> in seconds as argument.\n", file, linenum, args[0]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+
+		res = parse_time_err(args[1], &ssllifetime, TIME_UNIT_S);
+		if (res) {
+			Alert("parsing [%s:%d]: unexpected character '%c' in argument to <%s>.\n",
+			      file, linenum, *res, args[0]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+
+		global.tune.ssllifetime = ssllifetime;
+	}
 #endif
 	else if (!strcmp(args[0], "tune.bufsize")) {
 		if (*(args[1]) == 0) {
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -561,6 +561,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 #endif
 	}

+	if (global.tune.ssllifetime)
+		SSL_CTX_set_timeout(ctx, global.tune.ssllifetime);
+
 	shared_context_set_cache(ctx);
 	if (bind_conf->ciphers &&
 	    !SSL_CTX_set_cipher_list(ctx, bind_conf->ciphers)) {
@ -702,6 +705,9 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
 #endif
 	}

+	if (global.tune.ssllifetime)
+		SSL_CTX_set_timeout(srv->ssl_ctx.ctx, global.tune.ssllifetime);
+
 	SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
 	if (srv->ssl_ctx.ciphers &&
 		!SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphers)) {