Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.h @ 7320:696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time. Therefore we use a callback to save the session
when we know about it. This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.
Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback. To preserve API, the session is
cached in c->ssl->session. It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 17 Jul 2018 12:53:23 +0300 |
parents | 8076ba459f05 |
children | ba971deb4b44 |
comparison
equal
deleted
inserted
replaced
7319:dcab86115261 | 7320:696df3ac27ac |
---|---|
74 ngx_int_t last; | 74 ngx_int_t last; |
75 ngx_buf_t *buf; | 75 ngx_buf_t *buf; |
76 size_t buffer_size; | 76 size_t buffer_size; |
77 | 77 |
78 ngx_connection_handler_pt handler; | 78 ngx_connection_handler_pt handler; |
79 | |
80 ngx_ssl_session_t *session; | |
81 ngx_connection_handler_pt save_session; | |
79 | 82 |
80 ngx_event_handler_pt saved_read_handler; | 83 ngx_event_handler_pt saved_read_handler; |
81 ngx_event_handler_pt saved_write_handler; | 84 ngx_event_handler_pt saved_write_handler; |
82 | 85 |
83 unsigned handshaked:1; | 86 unsigned handshaked:1; |
166 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, | 169 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, |
167 int key_length); | 170 int key_length); |
168 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); | 171 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); |
169 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); | 172 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); |
170 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); | 173 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); |
174 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, | |
175 ngx_uint_t enable); | |
171 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, | 176 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
172 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); | 177 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); |
173 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, | 178 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, |
174 ngx_array_t *paths); | 179 ngx_array_t *paths); |
175 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); | 180 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
176 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, | 181 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, |
177 ngx_uint_t flags); | 182 ngx_uint_t flags); |
178 | 183 |
179 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); | 184 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
180 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); | 185 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); |
181 #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) | 186 ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c); |
187 ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c); | |
182 #define ngx_ssl_free_session SSL_SESSION_free | 188 #define ngx_ssl_free_session SSL_SESSION_free |
183 #define ngx_ssl_get_connection(ssl_conn) \ | 189 #define ngx_ssl_get_connection(ssl_conn) \ |
184 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) | 190 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) |
185 #define ngx_ssl_get_server_conf(ssl_ctx) \ | 191 #define ngx_ssl_get_server_conf(ssl_ctx) \ |
186 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) | 192 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) |