Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.h @ 8084:0f3d98e4bcc5
SSL: automatic rotation of session ticket keys.
As long as ssl_session_cache in shared memory is configured, session ticket
keys are now automatically generated in shared memory, and rotated
periodically. This can be beneficial from forward secrecy point of view,
and also avoids increased CPU usage after configuration reloads.
This also helps BoringSSL to properly resume sessions in configurations
with multiple worker processes and no ssl_session_ticket_key directives,
as BoringSSL tries to automatically rotate session ticket keys and does
this independently in different worker processes, thus breaking session
resumption between worker processes.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Wed, 12 Oct 2022 20:14:53 +0300 |
| parents | c71e113b57d8 |
| children | 043006e5a0b1 |
comparison
equal
deleted
inserted
replaced
| 8083:e13a271bdd40 | 8084:0f3d98e4bcc5 |
|---|---|
| 145 #endif | 145 #endif |
| 146 }; | 146 }; |
| 147 | 147 |
| 148 | 148 |
| 149 typedef struct { | 149 typedef struct { |
| 150 u_char name[16]; | |
| 151 u_char hmac_key[32]; | |
| 152 u_char aes_key[32]; | |
| 153 time_t expire; | |
| 154 unsigned size:8; | |
| 155 unsigned shared:1; | |
| 156 } ngx_ssl_ticket_key_t; | |
| 157 | |
| 158 | |
| 159 typedef struct { | |
| 150 ngx_rbtree_t session_rbtree; | 160 ngx_rbtree_t session_rbtree; |
| 151 ngx_rbtree_node_t sentinel; | 161 ngx_rbtree_node_t sentinel; |
| 152 ngx_queue_t expire_queue; | 162 ngx_queue_t expire_queue; |
| 163 ngx_ssl_ticket_key_t ticket_keys[2]; | |
| 153 time_t fail_time; | 164 time_t fail_time; |
| 154 } ngx_ssl_session_cache_t; | 165 } ngx_ssl_session_cache_t; |
| 155 | |
| 156 | |
| 157 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB | |
| 158 | |
| 159 typedef struct { | |
| 160 size_t size; | |
| 161 u_char name[16]; | |
| 162 u_char hmac_key[32]; | |
| 163 u_char aes_key[32]; | |
| 164 } ngx_ssl_ticket_key_t; | |
| 165 | |
| 166 #endif | |
| 167 | 166 |
| 168 | 167 |
| 169 #define NGX_SSL_SSLv2 0x0002 | 168 #define NGX_SSL_SSLv2 0x0002 |
| 170 #define NGX_SSL_SSLv3 0x0004 | 169 #define NGX_SSL_SSLv3 0x0004 |
| 171 #define NGX_SSL_TLSv1 0x0008 | 170 #define NGX_SSL_TLSv1 0x0008 |