diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2018-07-17 12:53:23 +0300 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2018-07-17 12:53:23 +0300 |
| commit | d5a27006e03174aa518f6c849d377a130a7c705c (patch) | |
| tree | ea8b041547925ace0f5876b28102942ce34246eb /src/stream | |
| parent | e1bebd05cb75fa6e8be5f4f942028501c9b22821 (diff) | |
| download | nginx-d5a27006e03174aa518f6c849d377a130a7c705c.tar.gz nginx-d5a27006e03174aa518f6c849d377a130a7c705c.tar.bz2 | |
SSL: save sessions for upstream peers using a callback function.
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time. Therefore we use a callback to save the session
when we know about it. This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.
Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback. To preserve API, the session is
cached in c->ssl->session. It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
Diffstat (limited to 'src/stream')
| -rw-r--r-- | src/stream/ngx_stream_proxy_module.c | 27 | ||||
| -rw-r--r-- | src/stream/ngx_stream_upstream_round_robin.c | 2 |
2 files changed, 23 insertions, 6 deletions
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c index 792bb7758..d0497f571 100644 --- a/src/stream/ngx_stream_proxy_module.c +++ b/src/stream/ngx_stream_proxy_module.c @@ -92,6 +92,7 @@ static char *ngx_stream_proxy_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); +static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf); @@ -1008,6 +1009,8 @@ ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s) } if (pscf->ssl_session_reuse) { + pc->ssl->save_session = ngx_stream_proxy_ssl_save_session; + if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); return; @@ -1066,11 +1069,6 @@ ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc) } } - if (pscf->ssl_session_reuse) { - u = s->upstream; - u->peer.save_session(&u->peer, u->peer.data); - } - if (pc->write->timer_set) { ngx_del_timer(pc->write); } @@ -1086,6 +1084,19 @@ failed: } +static void +ngx_stream_proxy_ssl_save_session(ngx_connection_t *c) +{ + ngx_stream_session_t *s; + ngx_stream_upstream_t *u; + + s = c->data; + u = s->upstream; + + u->peer.save_session(&u->peer, u->peer.data); +} + + static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s) { @@ -2051,6 +2062,12 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) } } + if (ngx_ssl_client_session_cache(cf, pscf->ssl, pscf->ssl_session_reuse) + != NGX_OK) + { + return NGX_ERROR; + } + return NGX_OK; } diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c index 526de3a80..36e2ec5ca 100644 --- a/src/stream/ngx_stream_upstream_round_robin.c +++ b/src/stream/ngx_stream_upstream_round_robin.c @@ -776,7 +776,7 @@ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc, if (peers->shpool) { - ssl_session = SSL_get0_session(pc->connection->ssl->connection); + ssl_session = ngx_ssl_get0_session(pc->connection); if (ssl_session == NULL) { return; |