[TLS] server.feature-flags "ssl.session-cache"lighttpd-1.4.56-rc3

disabled by default, but can be enabled
(session tickets should be preferred)

applies to mod_openssl, mod_wolfssl, mod_nss

session cache is not currently implemented in mod_mbedtls or mod_gnutls

5 files changed, 39 insertions, 10 deletions

diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c
index 04c22b80..a424e094 100644
--- a/src/mod_gnutls.c
+++ b/src/mod_gnutls.c
@@ -9,7 +9,8 @@
  *
  * Note: If session tickets are -not- disabled with
  *     ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket")
- *   mod_gnutls rotates server ticket encryption key (STEK) every 24 hours.
+ *   mod_gnutls rotates server ticket encryption key (STEK) every 18 hours.
+ *   (https://gnutls.org/manual/html_node/Session-resumption.html)
  *   This is fine for use with a single lighttpd instance, but with multiple
  *   lighttpd workers, no coordinated STEK (server ticket encryption key)
  *   rotation occurs unless ssl.stek-file is defined and maintained (preferred),
@@ -21,10 +22,15 @@
  *   resumption, since clients have a lower chance for future connections to
  *   reach the same lighttpd worker.  However, things will still work, and a new
  *   session will be created if session resumption fails.  Admins should plan to
- *   restart lighttpd at least every 24 hours if session tickets are enabled and
+ *   restart lighttpd at least every 18 hours if session tickets are enabled and
  *   multiple lighttpd workers are configured.  Since that is likely disruptive,
  *   if multiple lighttpd workers are configured, ssl.stek-file should be
  *   defined and the file maintained externally.
+ *
+ * future possible enhancements to lighttpd mod_gnutls:
+ * - session cache (though session tickets are implemented)
+ *     See gnutls_db_set_store_function() and gnutls_db_set_retrieve_function()
+ *     (and do not enable unless server.feature-flags ssl.session-cache enabled)
  */
 #include "first.h"
 
diff --git a/src/mod_mbedtls.c b/src/mod_mbedtls.c
index 1450f47a..43412d22 100644
--- a/src/mod_mbedtls.c
+++ b/src/mod_mbedtls.c
@@ -23,6 +23,7 @@
  * future possible enhancements to lighttpd mod_mbedtls:
  * - session cache (though session tickets are implemented)
  *     sample code in mbedtls:programs/ssl/ssl_server2.c
+ *     (and do not enable unless server.feature-flags ssl.session-cache enabled)
  *
  * Note: If session tickets are -not- disabled with
  *     ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket")
diff --git a/src/mod_nss.c b/src/mod_nss.c
index 1f28c7f9..58b09854 100644
--- a/src/mod_nss.c
+++ b/src/mod_nss.c
@@ -1546,6 +1546,14 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
 {
     UNUSED(p);
 
+    const int disable_sess_cache =
+      srv->srvconf.feature_flags
+      && !config_plugin_value_tobool(
+           array_get_element_klen(srv->srvconf.feature_flags,
+                                  CONST_STR_LEN("ssl.session-cache")), 0);
+    if (!disable_sess_cache) /* undo disable from mod_nss_init_once_nss() */
+        SSL_OptionSetDefault(SSL_NO_CACHE, PR_FALSE);
+
     /* use PR_CreateSocketPollFd() for dummy;
      * PR_CreateIOLayerStub() was resulting in crashes
      * when SSL_ImportFD() attempted ssl_DefGetpeername() */
diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index 39d3cd34..3f16ac84 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -2089,10 +2089,17 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
             return -1;
         }
 
-        /* disable session cache; session tickets are preferred */
-        SSL_CTX_set_session_cache_mode(s->ssl_ctx, SSL_SESS_CACHE_OFF
-                                                 | SSL_SESS_CACHE_NO_AUTO_CLEAR
-                                                 | SSL_SESS_CACHE_NO_INTERNAL);
+        const int disable_sess_cache =
+          srv->srvconf.feature_flags
+          && !config_plugin_value_tobool(
+               array_get_element_klen(srv->srvconf.feature_flags,
+                                      CONST_STR_LEN("ssl.session-cache")), 0);
+        if (disable_sess_cache)
+            /* disable session cache; session tickets are preferred */
+            SSL_CTX_set_session_cache_mode(s->ssl_ctx,
+                                             SSL_SESS_CACHE_OFF
+                                           | SSL_SESS_CACHE_NO_AUTO_CLEAR
+                                           | SSL_SESS_CACHE_NO_INTERNAL);
 
         if (s->ssl_empty_fragments) {
           #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
diff --git a/src/mod_wolfssl.c b/src/mod_wolfssl.c
index b9a47e97..2311c93a 100644
--- a/src/mod_wolfssl.c
+++ b/src/mod_wolfssl.c
@@ -1835,10 +1835,17 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
         }
 
       #if !defined(NO_SESSION_CACHE)
-        /* disable session cache; session tickets are preferred */
-        SSL_CTX_set_session_cache_mode(s->ssl_ctx, SSL_SESS_CACHE_OFF
-                                                 | SSL_SESS_CACHE_NO_AUTO_CLEAR
-                                                 | SSL_SESS_CACHE_NO_INTERNAL);
+        const int disable_sess_cache =
+          srv->srvconf.feature_flags
+          && !config_plugin_value_tobool(
+               array_get_element_klen(srv->srvconf.feature_flags,
+                                      CONST_STR_LEN("ssl.session-cache")), 0);
+        if (disable_sess_cache)
+            /* disable session cache; session tickets are preferred */
+            SSL_CTX_set_session_cache_mode(s->ssl_ctx,
+                                             SSL_SESS_CACHE_OFF
+                                           | SSL_SESS_CACHE_NO_AUTO_CLEAR
+                                           | SSL_SESS_CACHE_NO_INTERNAL);
       #endif
 
         if (s->ssl_empty_fragments) {