SSL: disabled saving tickets to session cache.

OpenSSL tries to save TLSv1.3 sessions into session cache even when using tickets for stateless session resumption, "because some applications just want to know about the creation of a session". To avoid trashing session cache with useless data, we do not save such sessions now.
2022-10-12 20:14:34 +03:00 · 2022-10-12 20:14:34 +03:00 · 833473a03a
parent da83d4d495
commit 833473a03a
1 changed files with 17 additions and 0 deletions
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -3818,6 +3818,23 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
    ngx_ssl_session_cache_t  *cache;
    u_char                    buf[NGX_SSL_MAX_SESSION_SIZE];

+#ifdef TLS1_3_VERSION
+
+    /*
+     * OpenSSL tries to save TLSv1.3 sessions into session cache
+     * even when using tickets for stateless session resumption,
+     * "because some applications just want to know about the creation
+     * of a session"; do not cache such sessions
+     */
+
+    if (SSL_version(ssl_conn) == TLS1_3_VERSION
+        && (SSL_get_options(ssl_conn) & SSL_OP_NO_TICKET) == 0)
+    {
+        return 0;
+    }
+
+#endif
+
    len = i2d_SSL_SESSION(sess, NULL);

    /* do not cache too big session */