From: Matti Hiljanen <matti@hiljanen.com>
Date: Mon, 2 Mar 2020 07:49:15 +0000 (+0200)
Subject: dnsdist: add sessionTimeout setting for TLS session lifetime
X-Git-Tag: dnsdist-1.5.0-alpha1~33^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2542667540bcc8e00c624943dc6b760214bcea59;p=thirdparty%2Fpdns.git

dnsdist: add sessionTimeout setting for TLS session lifetime
---

diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc
index 2f20990ac5..5b21ed768c 100644
--- a/pdns/dnsdist-lua.cc
+++ b/pdns/dnsdist-lua.cc
@@ -183,6 +183,10 @@ static void parseTLSConfig(TLSConfig& config, const std::string& context, boost:
     config.d_preferServerCiphers = boost::get<bool>((*vars)["preferServerCiphers"]);
   }
 
+  if (vars->count("sessionTimeout")) {
+    config.d_sessionTimeout = boost::get<int>((*vars)["sessionTimeout"]);
+  }
+
   if (vars->count("sessionTickets")) {
     config.d_enableTickets = boost::get<bool>((*vars)["sessionTickets"]);
   }
diff --git a/pdns/dnsdistdist/libssl.cc b/pdns/dnsdistdist/libssl.cc
index 6aa91bf038..6715a6d38a 100644
--- a/pdns/dnsdistdist/libssl.cc
+++ b/pdns/dnsdistdist/libssl.cc
@@ -662,6 +662,10 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
 #endif /* HAVE_SSL_CTX_SET_NUM_TICKETS */
   }
 
+  if (config.d_sessionTimeout > 0) {
+    SSL_CTX_set_timeout(ctx.get(), config.d_sessionTimeout);
+  }
+
   if (config.d_preferServerCiphers) {
     sslOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
   }
diff --git a/pdns/libssl.hh b/pdns/libssl.hh
index f6a50d49df..b113592555 100644
--- a/pdns/libssl.hh
+++ b/pdns/libssl.hh
@@ -24,6 +24,7 @@ public:
   std::string d_keyLogFile;
 
   size_t d_maxStoredSessions{20480};
+  time_t d_sessionTimeout{0};
   time_t d_ticketsKeyRotationDelay{43200};
   uint8_t d_numberOfTicketsKeys{5};
   LibsslTLSVersion d_minTLSVersion{LibsslTLSVersion::TLS10};