MINOR: ssl: Add tune.ssl.lifetime statement in global.

Sets the ssl session <lifetime> in seconds. Openssl default is 300 seconds.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9efd6025dc2294cd4e4b9ca908b9b0afcc02f167..289e99a34187979abbd6cdcc8d548ed3f9c2fb70 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -860,6 +860,14 @@ tune.ssl.cachesize <number>
   allocated upon startup and are shared between all processes if "nbproc" is
   greater than 1.
 
+tune.ssl.lifetime <timeout>
+  Sets how long a cached SSL session may remain valid. This time is expressed
+  in seconds and defaults to 300 (5 mn). It is important to understand that it
+  does not guarantee that sessions will last that long, because if the cache is
+  full, the longest idle sessions will be purged despite their configured
+  lifetime. The real usefulness of this setting is to prevent sessions from
+  being used for too long.
+
 tune.zlib.memlevel <number>
   Sets the memLevel parameter in zlib initialization for each session. It
   defines how much memory should be allocated for the intenal compression

diff --git a/include/types/global.h b/include/types/global.h
index 3cd0772453021e60f4cfcda35295e1fe72a2c31c..f2a010267ac9137b055f41a0b49c14037dbec8e6 100644 (file)
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -114,6 +114,7 @@ struct global {
                int max_http_hdr;  /* max number of HTTP headers, use MAX_HTTP_HDR if zero */
 #ifdef USE_OPENSSL
                int sslcachesize;  /* SSL cache size in session, defaults to 20000 */
+               unsigned int ssllifetime;   /* SSL session lifetime in seconds */
 #endif
 #ifdef USE_ZLIB
                int zlibmemlevel;    /* zlib memlevel */

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 0ca7a6f9741f19d565a7140b959ca8b27c9d8813..4ee5f89c95e64eda88dd3e92329623628599abcf 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -571,6 +571,26 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
                }
                global.tune.sslcachesize = atol(args[1]);
        }
+       else if (!strcmp(args[0], "tune.ssl.lifetime")) {
+               unsigned int ssllifetime;
+               const char *res;
+
+               if (*(args[1]) == 0) {
+                       Alert("parsing [%s:%d] : '%s' expects ssl sessions <lifetime> in seconds as argument.\n", file, linenum, args[0]);
+                       err_code |= ERR_ALERT | ERR_FATAL;
+                       goto out;
+               }
+
+               res = parse_time_err(args[1], &ssllifetime, TIME_UNIT_S);
+               if (res) {
+                       Alert("parsing [%s:%d]: unexpected character '%c' in argument to <%s>.\n",
+                             file, linenum, *res, args[0]);
+                       err_code |= ERR_ALERT | ERR_FATAL;
+                       goto out;
+               }
+
+               global.tune.ssllifetime = ssllifetime;
+       }
 #endif
        else if (!strcmp(args[0], "tune.bufsize")) {
                if (*(args[1]) == 0) {

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 75f7b5d88171437fccd0c870bc4fa2594433bc38..f6c410f342ebe46391f6a92376bd688380c3dd01 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -561,6 +561,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 #endif
        }
 
+       if (global.tune.ssllifetime)
+               SSL_CTX_set_timeout(ctx, global.tune.ssllifetime);
+
        shared_context_set_cache(ctx);
        if (bind_conf->ciphers &&
            !SSL_CTX_set_cipher_list(ctx, bind_conf->ciphers)) {
@@ -702,6 +705,9 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
 #endif
        }
 
+       if (global.tune.ssllifetime)
+               SSL_CTX_set_timeout(srv->ssl_ctx.ctx, global.tune.ssllifetime);
+
        SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
        if (srv->ssl_ctx.ciphers &&
                !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphers)) {