MINOR: ssl: Setting global tune.ssl.cachesize value to 0 disables SSL session cache.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 5c15d6a..fb16c7f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -887,7 +887,8 @@
and reassigned. Higher values reduce the occurrence of such a purge, hence
the number of CPU-intensive SSL handshakes by ensuring that all users keep
their session as long as possible. All entries are pre-allocated upon startup
- and are shared between all processes if "nbproc" is greater than 1.
+ and are shared between all processes if "nbproc" is greater than 1. Setting
+ this value to 0 disables the SSL session cache.
tune.ssl.lifetime <timeout>
Sets how long a cached SSL session may remain valid. This time is expressed
diff --git a/include/proto/shctx.h b/include/proto/shctx.h
index a09c38c..a84e4a6 100644
--- a/include/proto/shctx.h
+++ b/include/proto/shctx.h
@@ -24,10 +24,6 @@
#define SHSESS_MAX_DATA_LEN 4096
#endif
-#ifndef SHCTX_DEFAULT_SIZE
-#define SHCTX_DEFAULT_SIZE 20000
-#endif
-
#ifndef SHCTX_APPNAME
#define SHCTX_APPNAME "haproxy"
#endif
@@ -35,7 +31,7 @@
/* Allocate shared memory context.
* <size> is the number of allocated blocks into cache (default 128 bytes)
* A block is large enough to contain a classic session (without client cert)
- * If <size> is set less or equal to 0, SHCTX_DEFAULT_SIZE is used.
+ * If <size> is set less or equal to 0, ssl cache is disabled.
* Set <use_shared_memory> to 1 to use a mapped shared memory instead
* of private. (ignored if compiled with USE_PRIVATE_CACHE=1).
* Returns: -1 on alloc failure, <size> if it performs context alloc,
diff --git a/src/shctx.c b/src/shctx.c
index 457aedb..151b68a 100644
--- a/src/shctx.c
+++ b/src/shctx.c
@@ -499,7 +499,7 @@
/* Allocate shared memory context.
* <size> is maximum cached sessions.
- * If <size> is set to less or equal to 0, SHCTX_DEFAULT_SIZE is used.
+ * If <size> is set to less or equal to 0, ssl cache is disabled.
* Returns: -1 on alloc failure, <size> if it performs context alloc,
* and 0 if cache is already allocated.
*/
@@ -518,7 +518,7 @@
return 0;
if (size<=0)
- size = SHCTX_DEFAULT_SIZE;
+ return 0;
/* Increate size by one to reserve one node for lookup */
size++;
@@ -579,14 +579,16 @@
* Shared context MUST be firstly initialized */
void shared_context_set_cache(SSL_CTX *ctx)
{
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER |
- SSL_SESS_CACHE_NO_INTERNAL |
- SSL_SESS_CACHE_NO_AUTO_CLEAR);
-
SSL_CTX_set_session_id_context(ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME));
- if (!shctx)
+ if (!shctx) {
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
return;
+ }
+
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER |
+ SSL_SESS_CACHE_NO_INTERNAL |
+ SSL_SESS_CACHE_NO_AUTO_CLEAR);
/* Set callbacks */
SSL_CTX_sess_set_new_cb(ctx, shctx_new_cb);