Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7320:696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time. Therefore we use a callback to save the session
when we know about it. This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.
Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback. To preserve API, the session is
cached in c->ssl->session. It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 17 Jul 2018 12:53:23 +0300 |
| parents | dcab86115261 |
| children | 7ad0f4ace359 |
comparison
equal
deleted
inserted
replaced
| 7319:dcab86115261 | 7320:696df3ac27ac |
|---|---|
| 22 void *userdata); | 22 void *userdata); |
| 23 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); | 23 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
| 24 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, | 24 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, |
| 25 int ret); | 25 int ret); |
| 26 static void ngx_ssl_passwords_cleanup(void *data); | 26 static void ngx_ssl_passwords_cleanup(void *data); |
| 27 static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, | |
| 28 ngx_ssl_session_t *sess); | |
| 27 static void ngx_ssl_handshake_handler(ngx_event_t *ev); | 29 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
| 28 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); | 30 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
| 29 static void ngx_ssl_write_handler(ngx_event_t *wev); | 31 static void ngx_ssl_write_handler(ngx_event_t *wev); |
| 30 static void ngx_ssl_read_handler(ngx_event_t *rev); | 32 static void ngx_ssl_read_handler(ngx_event_t *rev); |
| 31 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); | 33 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
| 1160 return NGX_OK; | 1162 return NGX_OK; |
| 1161 } | 1163 } |
| 1162 | 1164 |
| 1163 | 1165 |
| 1164 ngx_int_t | 1166 ngx_int_t |
| 1167 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) | |
| 1168 { | |
| 1169 if (!enable) { | |
| 1170 return NGX_OK; | |
| 1171 } | |
| 1172 | |
| 1173 SSL_CTX_set_session_cache_mode(ssl->ctx, | |
| 1174 SSL_SESS_CACHE_CLIENT | |
| 1175 |SSL_SESS_CACHE_NO_INTERNAL); | |
| 1176 | |
| 1177 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session); | |
| 1178 | |
| 1179 return NGX_OK; | |
| 1180 } | |
| 1181 | |
| 1182 | |
| 1183 static int | |
| 1184 ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) | |
| 1185 { | |
| 1186 ngx_connection_t *c; | |
| 1187 | |
| 1188 c = ngx_ssl_get_connection(ssl_conn); | |
| 1189 | |
| 1190 if (c->ssl->save_session) { | |
| 1191 c->ssl->session = sess; | |
| 1192 | |
| 1193 c->ssl->save_session(c); | |
| 1194 | |
| 1195 c->ssl->session = NULL; | |
| 1196 } | |
| 1197 | |
| 1198 return 0; | |
| 1199 } | |
| 1200 | |
| 1201 | |
| 1202 ngx_int_t | |
| 1165 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) | 1203 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
| 1166 { | 1204 { |
| 1167 ngx_ssl_connection_t *sc; | 1205 ngx_ssl_connection_t *sc; |
| 1168 | 1206 |
| 1169 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); | 1207 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); |
| 1205 } | 1243 } |
| 1206 | 1244 |
| 1207 c->ssl = sc; | 1245 c->ssl = sc; |
| 1208 | 1246 |
| 1209 return NGX_OK; | 1247 return NGX_OK; |
| 1248 } | |
| 1249 | |
| 1250 | |
| 1251 ngx_ssl_session_t * | |
| 1252 ngx_ssl_get_session(ngx_connection_t *c) | |
| 1253 { | |
| 1254 #ifdef TLS1_3_VERSION | |
| 1255 if (c->ssl->session) { | |
| 1256 SSL_SESSION_up_ref(c->ssl->session); | |
| 1257 return c->ssl->session; | |
| 1258 } | |
| 1259 #endif | |
| 1260 | |
| 1261 return SSL_get1_session(c->ssl->connection); | |
| 1262 } | |
| 1263 | |
| 1264 | |
| 1265 ngx_ssl_session_t * | |
| 1266 ngx_ssl_get0_session(ngx_connection_t *c) | |
| 1267 { | |
| 1268 if (c->ssl->session) { | |
| 1269 return c->ssl->session; | |
| 1270 } | |
| 1271 | |
| 1272 return SSL_get0_session(c->ssl->connection); | |
| 1210 } | 1273 } |
| 1211 | 1274 |
| 1212 | 1275 |
| 1213 ngx_int_t | 1276 ngx_int_t |
| 1214 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) | 1277 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) |