dnsdist: add sessionTimeout setting for TLS session lifetime

diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc
index 2f20990ac55fe316176ad4767914bcab2b69ae5d..5b21ed768c849e815a83de08d8e7d507c5c1d4ab 100644 (file)
--- a/pdns/dnsdist-lua.cc
+++ b/pdns/dnsdist-lua.cc
@@ -183,6 +183,10 @@ static void parseTLSConfig(TLSConfig& config, const std::string& context, boost:
     config.d_preferServerCiphers = boost::get<bool>((*vars)["preferServerCiphers"]);
   }
 
+  if (vars->count("sessionTimeout")) {
+    config.d_sessionTimeout = boost::get<int>((*vars)["sessionTimeout"]);
+  }
+
   if (vars->count("sessionTickets")) {
     config.d_enableTickets = boost::get<bool>((*vars)["sessionTickets"]);
   }

diff --git a/pdns/dnsdistdist/libssl.cc b/pdns/dnsdistdist/libssl.cc
index 6aa91bf0381769325920c0e4d90e4c453de801b0..6715a6d38ac7a46847666f996def073cee930f6a 100644 (file)
--- a/pdns/dnsdistdist/libssl.cc
+++ b/pdns/dnsdistdist/libssl.cc
@@ -662,6 +662,10 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
 #endif /* HAVE_SSL_CTX_SET_NUM_TICKETS */
   }
 
+  if (config.d_sessionTimeout > 0) {
+    SSL_CTX_set_timeout(ctx.get(), config.d_sessionTimeout);
+  }
+
   if (config.d_preferServerCiphers) {
     sslOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
   }

diff --git a/pdns/libssl.hh b/pdns/libssl.hh
index f6a50d49df829ee36c39080c7d6377e8fee29296..b113592555c6a3c5856c73a24de685c743cadf7a 100644 (file)
--- a/pdns/libssl.hh
+++ b/pdns/libssl.hh
@@ -24,6 +24,7 @@ public:
   std::string d_keyLogFile;
 
   size_t d_maxStoredSessions{20480};
+  time_t d_sessionTimeout{0};
   time_t d_ticketsKeyRotationDelay{43200};
   uint8_t d_numberOfTicketsKeys{5};
   LibsslTLSVersion d_minTLSVersion{LibsslTLSVersion::TLS10};