Mercurial > hg > nginx

comparison src/event/ngx_event_openssl.h @ 7320:696df3ac27ac

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: save sessions for upstream peers using a callback function. In TLSv1.3, NewSessionTicket messages arrive after the handshake and can come at any time. Therefore we use a callback to save the session when we know about it. This approach works for < TLSv1.3 as well. The callback function is set once per location on merge phase. Since SSL_get_session() in BoringSSL returns an unresumable session for TLSv1.3, peer save_session() methods have been updated as well to use a session supplied within the callback. To preserve API, the session is cached in c->ssl->session. It is preferably accessed in save_session() methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
author Sergey Kandaurov <pluknet@nginx.com>
date Tue, 17 Jul 2018 12:53:23 +0300
parents 8076ba459f05
children ba971deb4b44
comparison
equal deleted inserted replaced
7319:dcab86115261 7320:696df3ac27ac
74 ngx_int_t last; 74 ngx_int_t last;
75 ngx_buf_t *buf; 75 ngx_buf_t *buf;
76 size_t buffer_size; 76 size_t buffer_size;
77 77
78 ngx_connection_handler_pt handler; 78 ngx_connection_handler_pt handler;
79
80 ngx_ssl_session_t *session;
81 ngx_connection_handler_pt save_session;
79 82
80 ngx_event_handler_pt saved_read_handler; 83 ngx_event_handler_pt saved_read_handler;
81 ngx_event_handler_pt saved_write_handler; 84 ngx_event_handler_pt saved_write_handler;
82 85
83 unsigned handshaked:1; 86 unsigned handshaked:1;
166 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, 169 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
167 int key_length); 170 int key_length);
168 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file); 171 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
169 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file); 172 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
170 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name); 173 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
174 ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
175 ngx_uint_t enable);
171 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, 176 ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
172 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); 177 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
173 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, 178 ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
174 ngx_array_t *paths); 179 ngx_array_t *paths);
175 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); 180 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
176 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, 181 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
177 ngx_uint_t flags); 182 ngx_uint_t flags);
178 183
179 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); 184 void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
180 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session); 185 ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
181 #define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection) 186 ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c);
187 ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c);
182 #define ngx_ssl_free_session SSL_SESSION_free 188 #define ngx_ssl_free_session SSL_SESSION_free
183 #define ngx_ssl_get_connection(ssl_conn) \ 189 #define ngx_ssl_get_connection(ssl_conn) \
184 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index) 190 SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index)
185 #define ngx_ssl_get_server_conf(ssl_ctx) \ 191 #define ngx_ssl_get_server_conf(ssl_ctx) \
186 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index) 192 SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_server_conf_index)