diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2018-07-17 12:53:23 +0300 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2018-07-17 12:53:23 +0300 |
| commit | d5a27006e03174aa518f6c849d377a130a7c705c (patch) | |
| tree | ea8b041547925ace0f5876b28102942ce34246eb /src/event/ngx_event_openssl.h | |
| parent | e1bebd05cb75fa6e8be5f4f942028501c9b22821 (diff) | |
| download | nginx-d5a27006e03174aa518f6c849d377a130a7c705c.tar.gz nginx-d5a27006e03174aa518f6c849d377a130a7c705c.tar.bz2 | |
SSL: save sessions for upstream peers using a callback function.
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time. Therefore we use a callback to save the session
when we know about it. This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.
Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback. To preserve API, the session is
cached in c->ssl->session. It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
Diffstat (limited to 'src/event/ngx_event_openssl.h')
| -rw-r--r-- | src/event/ngx_event_openssl.h | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index 623d851dc..22350d54b 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -77,6 +77,9 @@ struct ngx_ssl_connection_s { ngx_connection_handler_pt handler; + ngx_ssl_session_t *session; + ngx_connection_handler_pt save_session; + ngx_event_handler_pt saved_read_handler; ngx_event_handler_pt saved_write_handler; @@ -168,6 +171,8 @@ RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); +ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_uint_t enable); ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, @@ -178,7 +183,8 @@ ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); -#define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) +ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c); +ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c); #define ngx_ssl_free_session SSL_SESSION_free #define ngx_ssl_get_connection(ssl_conn) \ SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) |