Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.h @ 8086:496241338da5
SSL: workaround for session timeout handling with TLSv1.3.
OpenSSL with TLSv1.3 updates the session creation time on session
resumption and keeps the session timeout unmodified, making it possible
to maintain the session forever, bypassing client certificate expiration
and revocation. To make sure session timeouts are actually used, we
now update the session creation time and reduce the session timeout
accordingly.
BoringSSL with TLSv1.3 ignores configured session timeouts and uses a
hardcoded timeout instead, 7 days. So we update session timeout to
the configured value as soon as a session is created.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Wed, 12 Oct 2022 20:14:57 +0300 |
| parents | 043006e5a0b1 |
| children | 3be953161026 |
comparison
equal
deleted
inserted
replaced
| 8085:043006e5a0b1 | 8086:496241338da5 |
|---|---|
| 112 unsigned sendfile:1; | 112 unsigned sendfile:1; |
| 113 unsigned no_wait_shutdown:1; | 113 unsigned no_wait_shutdown:1; |
| 114 unsigned no_send_shutdown:1; | 114 unsigned no_send_shutdown:1; |
| 115 unsigned shutdown_without_free:1; | 115 unsigned shutdown_without_free:1; |
| 116 unsigned handshake_buffer_set:1; | 116 unsigned handshake_buffer_set:1; |
| 117 unsigned session_timeout_set:1; | |
| 117 unsigned try_early_data:1; | 118 unsigned try_early_data:1; |
| 118 unsigned in_early:1; | 119 unsigned in_early:1; |
| 119 unsigned in_ocsp:1; | 120 unsigned in_ocsp:1; |
| 120 unsigned early_preread:1; | 121 unsigned early_preread:1; |
| 121 unsigned write_blocked:1; | 122 unsigned write_blocked:1; |