Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.h @ 8085:043006e5a0b1
SSL: optimized rotation of session ticket keys.
Instead of syncing keys with shared memory on each ticket operation,
the code now does this only when the worker is going to change expiration
of the current key, or going to switch to a new key: that is, usually
at most once per second.
To do so without races, the code maintains 3 keys: current, previous,
and next. If a worker will switch to the next key earlier, other workers
will still be able to decrypt new tickets, since they will be encrypted
with the next key.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Wed, 12 Oct 2022 20:14:55 +0300 |
| parents | 0f3d98e4bcc5 |
| children | 496241338da5 |
comparison
equal
deleted
inserted
replaced
| 8084:0f3d98e4bcc5 | 8085:043006e5a0b1 |
|---|---|
| 158 | 158 |
| 159 typedef struct { | 159 typedef struct { |
| 160 ngx_rbtree_t session_rbtree; | 160 ngx_rbtree_t session_rbtree; |
| 161 ngx_rbtree_node_t sentinel; | 161 ngx_rbtree_node_t sentinel; |
| 162 ngx_queue_t expire_queue; | 162 ngx_queue_t expire_queue; |
| 163 ngx_ssl_ticket_key_t ticket_keys[2]; | 163 ngx_ssl_ticket_key_t ticket_keys[3]; |
| 164 time_t fail_time; | 164 time_t fail_time; |
| 165 } ngx_ssl_session_cache_t; | 165 } ngx_ssl_session_cache_t; |
| 166 | 166 |
| 167 | 167 |
| 168 #define NGX_SSL_SSLv2 0x0002 | 168 #define NGX_SSL_SSLv2 0x0002 |