增加session cache的开关：no_session_cache，默认为0，即启用session cache。

author: zhengchao <[email protected]> 2019-02-18 15:47:29 +0600
committer: zhengchao <[email protected]> 2019-02-18 15:48:36 +0600
commit: 2d34aafa48bac6002ad4c883f1b3d29663087150 (patch)
tree: 89f21d57af0a7a60a1c6b4c64a70622c135d6e41
parent: 39ac1dede97e55d4a0e363552f7f2baaf162bc4d (diff)
1 files changed, 40 insertions, 26 deletions
diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp
index 2e31215..14539bc 100644
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -119,6 +119,7 @@ struct ssl_mgr
 	unsigned int no_tls10;
 	unsigned int no_tls11;
 	unsigned int no_tls12;
+	unsigned int no_sesscache;
 	unsigned int no_sessticket;
 	unsigned int no_alpn;
 	unsigned int no_cert_verify;
@@ -251,8 +252,11 @@ ssl_stream_gc_cb(evutil_socket_t fd, short what, void * arg)
 {
 	struct ssl_mgr *mgr=(struct ssl_mgr *)arg;
 	int i=0;
-	ssl_sess_cache_stat(mgr->up_sess_cache, &(mgr->stat_val[SSL_UP_CACHE_SZ]), &(mgr->stat_val[SSL_UP_CACHE_QUERY]), &(mgr->stat_val[SSL_UP_CACHE_HIT]));
-	ssl_sess_cache_stat(mgr->down_sess_cache, &(mgr->stat_val[SSL_DOWN_CACHE_SZ]), &(mgr->stat_val[SSL_DOWN_CACHE_QUERY]), &(mgr->stat_val[SSL_DOWN_CACHE_HIT]));
+	if(!mgr->no_sesscache)
+	{	
+		ssl_sess_cache_stat(mgr->up_sess_cache, &(mgr->stat_val[SSL_UP_CACHE_SZ]), &(mgr->stat_val[SSL_UP_CACHE_QUERY]), &(mgr->stat_val[SSL_UP_CACHE_HIT]));
+		ssl_sess_cache_stat(mgr->down_sess_cache, &(mgr->stat_val[SSL_DOWN_CACHE_SZ]), &(mgr->stat_val[SSL_DOWN_CACHE_QUERY]), &(mgr->stat_val[SSL_DOWN_CACHE_HIT]));
+	}
 	struct key_keeper_stat keeper_stat;
 	key_keeper_statistic(mgr->key_keeper, &keeper_stat);
 	mgr->stat_val[KEY_KEEPER_ASK]=keeper_stat.ask_times;
@@ -279,7 +283,7 @@ void ssl_stat_init(struct ssl_mgr * mgr)
 	spec[SSL_UP_ERR_UNSUPPORT_PROTO]="ussl_e_prt";
 	
 	spec[SSL_UP_CLOSING]="ussl_clsing";
-	spec[SSL_UP_CLOSED]="ussl_clsed";
+	spec[SSL_UP_CLOSED]="ussl_clsd";
 	spec[SSL_UP_DIRTY_CLOSED]="ussl_dt_cls";
 	spec[SSL_UP_CACHE_SZ]="usess_cache";
 	spec[SSL_UP_CACHE_QUERY]="usess_query";
@@ -290,7 +294,7 @@ void ssl_stat_init(struct ssl_mgr * mgr)
 	spec[SSL_DOWN_ERR_NO_CERT]="dssl_e_cert";
 	spec[SSL_DOWN_ERR_INAPPROPRIATE_FALLBACK]="dssl_e_fb";
 	spec[SSL_DOWN_CLOSING]="dssl_clsing";	
-	spec[SSL_DOWN_CLOSED]="dssl_clsed";
+	spec[SSL_DOWN_CLOSED]="dssl_clsd";
 	spec[SSL_DOWN_DIRTY_CLOSED]="dssl_dt_cls";
 	spec[SSL_DOWN_CACHE_SZ]="dsess_cache";
 	spec[SSL_DOWN_CACHE_QUERY]="dcache_query";
@@ -578,6 +582,7 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
 	MESA_load_profile_uint_def(ini_profile, section, "no_tls12", &(mgr->no_tls12), 0);
 	MESA_load_profile_string_def(ini_profile, section, "default_ciphers", mgr->default_ciphers, 
 		sizeof(mgr->default_ciphers), DFLT_CIPHERS);
+	MESA_load_profile_uint_def(ini_profile, section, "no_session_cache", &(mgr->no_sesscache), 0);
 	MESA_load_profile_uint_def(ini_profile, section, "no_session_ticket", &(mgr->no_sessticket), 0);
 	MESA_load_profile_uint_def(ini_profile, section, "no_alpn", &(mgr->no_alpn), 0);
 	MESA_load_profile_uint_def(ini_profile, section, "no_cert_verify", &(mgr->no_cert_verify), 0);
@@ -587,9 +592,11 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
 	MESA_load_profile_uint_def(ini_profile, section, "session_cache_slots", &(mgr->cache_slots), 4 * 1024 * 1024);
 	MESA_load_profile_uint_def(ini_profile, section, "session_cache_expire_seconds", &(mgr->sess_expire_seconds), 30 * 60);
 
-	mgr->up_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_UPSTREAM);
-	mgr->down_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_DOWNSTREAM);
-
+	if(!mgr->no_sesscache)
+	{
+		mgr->up_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_UPSTREAM);
+		mgr->down_sess_cache = ssl_sess_cache_create(mgr->cache_slots, mgr->sess_expire_seconds, CONN_DIR_DOWNSTREAM);
+	}
 	//Reference to NGINX: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
 	//Support key rotation in futher.
 	
@@ -816,20 +823,22 @@ static SSL * upstream_ssl_create(struct ssl_mgr * mgr, const struct ssl_chello *
 	struct sockaddr_storage addr;
 	socklen_t addrlen = sizeof(struct sockaddr_storage);
 
-	ret = getpeername(fd, (struct sockaddr *) (&addr), &addrlen);
-	if(ret == 0)
+	if(!mgr->no_sesscache)
 	{
-		/* session resuming based on remote endpoint address and port */
-		sess = up_session_get(mgr->up_sess_cache, (struct sockaddr *) &addr, addrlen, chello->sni);
-		if (sess)
+		ret = getpeername(fd, (struct sockaddr *) (&addr), &addrlen);
+		if(ret == 0)
 		{
-			SSL_set_session(ssl, sess);    /* increments sess refcount */
-			SSL_SESSION_free(sess);
+			/* session resuming based on remote endpoint address and port */
+			sess = up_session_get(mgr->up_sess_cache, (struct sockaddr *) &addr, addrlen, chello->sni);
+			if (sess)
+			{
+				SSL_set_session(ssl, sess);    /* increments sess refcount */
+				SSL_SESSION_free(sess);
+			}
 		}
 	}
 
 
-
 	return ssl;
 }
 
@@ -1047,11 +1056,14 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 			}
 			if(s_stream->is_peer_cert_verify_passed)
 			{
-				//ONLY verified session is cacheable.
-				//The reference count of the SSL_SESSION is not incremented, so no need to free.
-				ssl_sess = SSL_get0_session(s_stream->ssl);
-				up_session_set(mgr->up_sess_cache, (struct sockaddr *)&(ctx->addr),
-					ctx->addrlen, s_stream->client_hello->sni, ssl_sess);
+				if(!mgr->no_sesscache)
+				{
+					//ONLY verified session is cacheable.
+					//The reference count of the SSL_SESSION is not incremented, so no need to free.
+					ssl_sess = SSL_get0_session(s_stream->ssl);
+					up_session_set(mgr->up_sess_cache, (struct sockaddr *)&(ctx->addr),
+						ctx->addrlen, s_stream->client_hello->sni, ssl_sess);
+				}
 			}
 			else
 			{
@@ -1253,7 +1265,7 @@ static int ossl_sessnew_cb(SSL * ssl, SSL_SESSION * sess)
 
 #endif /* HAVE_SSLV2 */
 
-	if (sess)
+	if (sess && !mgr->no_sesscache)
 	{
 		down_session_set(mgr->down_sess_cache, sess);
 	}
@@ -1271,7 +1283,7 @@ static void ossl_sessremove_cb(SSL_CTX * sslctx, SSL_SESSION * sess)
 	struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_CTX_get_ex_data(sslctx, SSL_EX_DATA_IDX_SSLMGR);
 	assert(mgr != NULL);
 
-	if (sess)
+	if (sess && !mgr->no_sesscache)
 	{
 		down_session_del(mgr->down_sess_cache, sess);
 	}
@@ -1286,10 +1298,12 @@ static void ossl_sessremove_cb(SSL_CTX * sslctx, SSL_SESSION * sess)
 static SSL_SESSION * ossl_sessget_cb(SSL * ssl, const unsigned char * id, int idlen, int * copy)
 {
 	struct ssl_mgr * mgr = (struct ssl_mgr *) SSL_get_ex_data(ssl, SSL_EX_DATA_IDX_SSLMGR);
-	SSL_SESSION * sess;
-
-	*copy = 0;                        /* SSL should not increment reference count of session */
-	sess = (SSL_SESSION *) down_session_get(mgr->down_sess_cache, id, idlen);
+	SSL_SESSION * sess=NULL;
+	if(!mgr->no_sesscache)
+	{
+		*copy = 0;                        /* SSL should not increment reference count of session */
+		sess = (SSL_SESSION *) down_session_get(mgr->down_sess_cache, id, idlen);
+	}
 	return sess;
 }
author	zhengchao <[email protected]>	2019-02-18 15:47:29 +0600
committer	zhengchao <[email protected]>	2019-02-18 15:48:36 +0600
commit	2d34aafa48bac6002ad4c883f1b3d29663087150 (patch)
tree	89f21d57af0a7a60a1c6b4c64a70622c135d6e41
parent	39ac1dede97e55d4a0e363552f7f2baaf162bc4d (diff)