diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2020-10-29 01:05:55 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2020-10-29 01:05:55 -0400 |
commit | 31fc3a077328ff8d81c40e89c68c13cbe069e546 (patch) | |
tree | cef2599c95b5c04f3d44f6c61a560f091e71511e | |
parent | 1d27391c291fa5f00f1e41c2e7853e9a27aa5184 (diff) | |
download | lighttpd-git-31fc3a077328ff8d81c40e89c68c13cbe069e546.tar.gz |
[TLS] server.feature-flags "ssl.session-cache"lighttpd-1.4.56-rc3
disabled by default, but can be enabled
(session tickets should be preferred)
applies to mod_openssl, mod_wolfssl, mod_nss
session cache is not currently implemented in mod_mbedtls or mod_gnutls
-rw-r--r-- | src/mod_gnutls.c | 10 | ||||
-rw-r--r-- | src/mod_mbedtls.c | 1 | ||||
-rw-r--r-- | src/mod_nss.c | 8 | ||||
-rw-r--r-- | src/mod_openssl.c | 15 | ||||
-rw-r--r-- | src/mod_wolfssl.c | 15 |
5 files changed, 39 insertions, 10 deletions
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c index 04c22b80..a424e094 100644 --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c @@ -9,7 +9,8 @@ * * Note: If session tickets are -not- disabled with * ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket") - * mod_gnutls rotates server ticket encryption key (STEK) every 24 hours. + * mod_gnutls rotates server ticket encryption key (STEK) every 18 hours. + * (https://gnutls.org/manual/html_node/Session-resumption.html) * This is fine for use with a single lighttpd instance, but with multiple * lighttpd workers, no coordinated STEK (server ticket encryption key) * rotation occurs unless ssl.stek-file is defined and maintained (preferred), @@ -21,10 +22,15 @@ * resumption, since clients have a lower chance for future connections to * reach the same lighttpd worker. However, things will still work, and a new * session will be created if session resumption fails. Admins should plan to - * restart lighttpd at least every 24 hours if session tickets are enabled and + * restart lighttpd at least every 18 hours if session tickets are enabled and * multiple lighttpd workers are configured. Since that is likely disruptive, * if multiple lighttpd workers are configured, ssl.stek-file should be * defined and the file maintained externally. + * + * future possible enhancements to lighttpd mod_gnutls: + * - session cache (though session tickets are implemented) + * See gnutls_db_set_store_function() and gnutls_db_set_retrieve_function() + * (and do not enable unless server.feature-flags ssl.session-cache enabled) */ #include "first.h" diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c index 1450f47a..43412d22 100644 --- a/src/mod_mbedtls.c +++ b/src/mod_mbedtls.c @@ -23,6 +23,7 @@ * future possible enhancements to lighttpd mod_mbedtls: * - session cache (though session tickets are implemented) * sample code in mbedtls:programs/ssl/ssl_server2.c + * (and do not enable unless server.feature-flags ssl.session-cache enabled) * * Note: If session tickets are -not- disabled with * ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket") diff --git a/src/mod_nss.c b/src/mod_nss.c index 1f28c7f9..58b09854 100644 --- a/src/mod_nss.c +++ b/src/mod_nss.c @@ -1546,6 +1546,14 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p) { UNUSED(p); + const int disable_sess_cache = + srv->srvconf.feature_flags + && !config_plugin_value_tobool( + array_get_element_klen(srv->srvconf.feature_flags, + CONST_STR_LEN("ssl.session-cache")), 0); + if (!disable_sess_cache) /* undo disable from mod_nss_init_once_nss() */ + SSL_OptionSetDefault(SSL_NO_CACHE, PR_FALSE); + /* use PR_CreateSocketPollFd() for dummy; * PR_CreateIOLayerStub() was resulting in crashes * when SSL_ImportFD() attempted ssl_DefGetpeername() */ diff --git a/src/mod_openssl.c b/src/mod_openssl.c index 39d3cd34..3f16ac84 100644 --- a/src/mod_openssl.c +++ b/src/mod_openssl.c @@ -2089,10 +2089,17 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p) return -1; } - /* disable session cache; session tickets are preferred */ - SSL_CTX_set_session_cache_mode(s->ssl_ctx, SSL_SESS_CACHE_OFF - | SSL_SESS_CACHE_NO_AUTO_CLEAR - | SSL_SESS_CACHE_NO_INTERNAL); + const int disable_sess_cache = + srv->srvconf.feature_flags + && !config_plugin_value_tobool( + array_get_element_klen(srv->srvconf.feature_flags, + CONST_STR_LEN("ssl.session-cache")), 0); + if (disable_sess_cache) + /* disable session cache; session tickets are preferred */ + SSL_CTX_set_session_cache_mode(s->ssl_ctx, + SSL_SESS_CACHE_OFF + | SSL_SESS_CACHE_NO_AUTO_CLEAR + | SSL_SESS_CACHE_NO_INTERNAL); if (s->ssl_empty_fragments) { #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c index b9a47e97..2311c93a 100644 --- a/src/mod_wolfssl.c +++ b/src/mod_wolfssl.c @@ -1835,10 +1835,17 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p) } #if !defined(NO_SESSION_CACHE) - /* disable session cache; session tickets are preferred */ - SSL_CTX_set_session_cache_mode(s->ssl_ctx, SSL_SESS_CACHE_OFF - | SSL_SESS_CACHE_NO_AUTO_CLEAR - | SSL_SESS_CACHE_NO_INTERNAL); + const int disable_sess_cache = + srv->srvconf.feature_flags + && !config_plugin_value_tobool( + array_get_element_klen(srv->srvconf.feature_flags, + CONST_STR_LEN("ssl.session-cache")), 0); + if (disable_sess_cache) + /* disable session cache; session tickets are preferred */ + SSL_CTX_set_session_cache_mode(s->ssl_ctx, + SSL_SESS_CACHE_OFF + | SSL_SESS_CACHE_NO_AUTO_CLEAR + | SSL_SESS_CACHE_NO_INTERNAL); #endif if (s->ssl_empty_fragments) { |