Mercurial > hg > nginx

changeset 8074:026ee23b6774

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: disabled saving tickets to session cache. OpenSSL tries to save TLSv1.3 sessions into session cache even when using tickets for stateless session resumption, "because some applications just want to know about the creation of a session". To avoid trashing session cache with useless data, we do not save such sessions now.
author Maxim Dounin <mdounin@mdounin.ru>
date Wed, 12 Oct 2022 20:14:34 +0300
parents aa663cc2a77d
children 38c71f9b2293
files src/event/ngx_event_openssl.c
diffstat 1 files changed, 17 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c	Tue Sep 27 11:31:16 2022 +0400
+++ b/src/event/ngx_event_openssl.c	Wed Oct 12 20:14:34 2022 +0300
@@ -3818,6 +3818,23 @@
     ngx_ssl_session_cache_t  *cache;
     u_char                    buf[NGX_SSL_MAX_SESSION_SIZE];
 
+#ifdef TLS1_3_VERSION
+
+    /*
+     * OpenSSL tries to save TLSv1.3 sessions into session cache
+     * even when using tickets for stateless session resumption,
+     * "because some applications just want to know about the creation
+     * of a session"; do not cache such sessions
+     */
+
+    if (SSL_version(ssl_conn) == TLS1_3_VERSION
+        && (SSL_get_options(ssl_conn) & SSL_OP_NO_TICKET) == 0)
+    {
+        return 0;
+    }
+
+#endif
+
     len = i2d_SSL_SESSION(sess, NULL);
 
     /* do not cache too big session */