diff options
author | Kevin Lin <developer@kevinlin.info> | 2020-02-19 20:59:24 -0800 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2020-03-27 11:21:33 -0700 |
commit | 4e79f166fc15583cae443d9ae09a1e673601fb7e (patch) | |
tree | 22af2a3afad3501b1e75ee7aedfecd2b9f1d35f0 /tls.c | |
parent | f249724cedcab6605ca8a0769ac4b356a8124f63 (diff) | |
download | memcached-4e79f166fc15583cae443d9ae09a1e673601fb7e.tar.gz |
Add: `-o ssl_session_cache`, disabled by default
Enables server-side TLS session caching.
Diffstat (limited to 'tls.c')
-rw-r--r-- | tls.c | 26 |
1 files changed, 25 insertions, 1 deletions
@@ -143,7 +143,7 @@ int ssl_init(void) { settings.ssl_ctx = SSL_CTX_new(TLS_server_method()); // Clients should use at least TLSv1.2 int flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_TLSv1 |SSL_OP_NO_TLSv1_1; + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; SSL_CTX_set_options(settings.ssl_ctx, flags); // The server certificate, private key and validations. @@ -167,6 +167,17 @@ int ssl_init(void) { exit(EX_USAGE); } + // Optional session caching; default disabled. + if (settings.ssl_session_cache) { + SSL_CTX_sess_set_new_cb(settings.ssl_ctx, ssl_new_session_callback); + SSL_CTX_set_session_cache_mode(settings.ssl_ctx, SSL_SESS_CACHE_SERVER); + SSL_CTX_set_session_id_context(settings.ssl_ctx, + (const unsigned char *) SESSION_ID_CONTEXT, + strlen(SESSION_ID_CONTEXT)); + } else { + SSL_CTX_set_session_cache_mode(settings.ssl_ctx, SSL_SESS_CACHE_OFF); + } + return 0; } @@ -189,6 +200,19 @@ void ssl_callback(const SSL *s, int where, int ret) { } } +/* + * This method is invoked with every new successfully negotiated SSL session, + * when server-side session caching is enabled. Note that this method is not + * invoked when a session is reused. + */ +int ssl_new_session_callback(SSL *s, SSL_SESSION *sess) { + STATS_LOCK(); + stats.ssl_new_sessions++; + STATS_UNLOCK(); + + return 0; +} + bool refresh_certs(char **errmsg) { return load_server_certificates(errmsg); } |