MINOR: ssl: Setting global tune.ssl.cachesize value to 0 disables SSL session cache.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 5c15d6a8808199bfe8c50f42c04567cddd1f6320..fb16c7f1a9545185b4af4348917d81e835462165 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -887,7 +887,8 @@ tune.ssl.cachesize <number>
   and reassigned. Higher values reduce the occurrence of such a purge, hence
   the number of CPU-intensive SSL handshakes by ensuring that all users keep
   their session as long as possible. All entries are pre-allocated upon startup
-  and are shared between all processes if "nbproc" is greater than 1.
+  and are shared between all processes if "nbproc" is greater than 1. Setting
+  this value to 0 disables the SSL session cache.
 
 tune.ssl.lifetime <timeout>
   Sets how long a cached SSL session may remain valid. This time is expressed

diff --git a/include/proto/shctx.h b/include/proto/shctx.h
index a09c38c4b74d80002bad4b617a31ccb03ea58a86..a84e4a6773485eba2563a6d2d96d3c716ca35179 100644 (file)
--- a/include/proto/shctx.h
+++ b/include/proto/shctx.h
@@ -24,10 +24,6 @@
 #define SHSESS_MAX_DATA_LEN 4096
 #endif
 
-#ifndef SHCTX_DEFAULT_SIZE
-#define SHCTX_DEFAULT_SIZE 20000
-#endif
-
 #ifndef SHCTX_APPNAME
 #define SHCTX_APPNAME "haproxy"
 #endif
@@ -35,7 +31,7 @@
 /* Allocate shared memory context.
  * <size> is the number of allocated blocks into cache (default 128 bytes)
  * A block is large enough to contain a classic session (without client cert)
- * If <size> is set less or equal to 0, SHCTX_DEFAULT_SIZE is used.
+ * If <size> is set less or equal to 0, ssl cache is disabled.
  * Set <use_shared_memory> to 1 to use a mapped shared memory instead
  * of private. (ignored if compiled with USE_PRIVATE_CACHE=1).
  * Returns: -1 on alloc failure, <size> if it performs context alloc,

diff --git a/src/shctx.c b/src/shctx.c
index 457aedbd27aae14a1fe128d2040d4821549e532a..151b68a49321128d6b7f79b044cc13dcb29bdbbb 100644 (file)
--- a/src/shctx.c
+++ b/src/shctx.c
@@ -499,7 +499,7 @@ void shctx_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
 
 /* Allocate shared memory context.
  * <size> is maximum cached sessions.
- * If <size> is set to less or equal to 0, SHCTX_DEFAULT_SIZE is used.
+ * If <size> is set to less or equal to 0, ssl cache is disabled.
  * Returns: -1 on alloc failure, <size> if it performs context alloc,
  * and 0 if cache is already allocated.
  */
@@ -518,7 +518,7 @@ int shared_context_init(int size, int shared)
                return 0;
 
        if (size<=0)
-               size = SHCTX_DEFAULT_SIZE;
+               return 0;
 
        /* Increate size by one to reserve one node for lookup */
        size++;
@@ -579,14 +579,16 @@ int shared_context_init(int size, int shared)
  * Shared context MUST be firstly initialized */
 void shared_context_set_cache(SSL_CTX *ctx)
 {
-       SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER |
-                                           SSL_SESS_CACHE_NO_INTERNAL |
-                                           SSL_SESS_CACHE_NO_AUTO_CLEAR);
-
        SSL_CTX_set_session_id_context(ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME));
 
-       if (!shctx)
+       if (!shctx) {
+               SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
                return;
+       }
+
+       SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER |
+                                           SSL_SESS_CACHE_NO_INTERNAL |
+                                           SSL_SESS_CACHE_NO_AUTO_CLEAR);
 
        /* Set callbacks */
        SSL_CTX_sess_set_new_cb(ctx, shctx_new_cb);