MINOR: ssl: Add tune.ssl.lifetime statement in global.
Sets the ssl session <lifetime> in seconds. Openssl default is 300 seconds.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9efd602..289e99a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -860,6 +860,14 @@
allocated upon startup and are shared between all processes if "nbproc" is
greater than 1.
+tune.ssl.lifetime <timeout>
+ Sets how long a cached SSL session may remain valid. This time is expressed
+ in seconds and defaults to 300 (5 mn). It is important to understand that it
+ does not guarantee that sessions will last that long, because if the cache is
+ full, the longest idle sessions will be purged despite their configured
+ lifetime. The real usefulness of this setting is to prevent sessions from
+ being used for too long.
+
tune.zlib.memlevel <number>
Sets the memLevel parameter in zlib initialization for each session. It
defines how much memory should be allocated for the intenal compression
diff --git a/include/types/global.h b/include/types/global.h
index 3cd0772..f2a0102 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -114,6 +114,7 @@
int max_http_hdr; /* max number of HTTP headers, use MAX_HTTP_HDR if zero */
#ifdef USE_OPENSSL
int sslcachesize; /* SSL cache size in session, defaults to 20000 */
+ unsigned int ssllifetime; /* SSL session lifetime in seconds */
#endif
#ifdef USE_ZLIB
int zlibmemlevel; /* zlib memlevel */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 0ca7a6f..4ee5f89 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -571,6 +571,26 @@
}
global.tune.sslcachesize = atol(args[1]);
}
+ else if (!strcmp(args[0], "tune.ssl.lifetime")) {
+ unsigned int ssllifetime;
+ const char *res;
+
+ if (*(args[1]) == 0) {
+ Alert("parsing [%s:%d] : '%s' expects ssl sessions <lifetime> in seconds as argument.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+
+ res = parse_time_err(args[1], &ssllifetime, TIME_UNIT_S);
+ if (res) {
+ Alert("parsing [%s:%d]: unexpected character '%c' in argument to <%s>.\n",
+ file, linenum, *res, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+
+ global.tune.ssllifetime = ssllifetime;
+ }
#endif
else if (!strcmp(args[0], "tune.bufsize")) {
if (*(args[1]) == 0) {
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 75f7b5d..f6c410f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -561,6 +561,9 @@
#endif
}
+ if (global.tune.ssllifetime)
+ SSL_CTX_set_timeout(ctx, global.tune.ssllifetime);
+
shared_context_set_cache(ctx);
if (bind_conf->ciphers &&
!SSL_CTX_set_cipher_list(ctx, bind_conf->ciphers)) {
@@ -702,6 +705,9 @@
#endif
}
+ if (global.tune.ssllifetime)
+ SSL_CTX_set_timeout(srv->ssl_ctx.ctx, global.tune.ssllifetime);
+
SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
if (srv->ssl_ctx.ciphers &&
!SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphers)) {