[kudu] 03/04: [security] turn off TLS session cache

Thu, 18 Mar 2021 09:25:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git

commit 5966364d4c022507faa7f51e2ffed154ed3bb167
Author: Alexey Serbin <ale...@apache.org>
AuthorDate: Wed Mar 17 18:53:03 2021 -0700

    [security] turn off TLS session cache
    
    As of now, a Kudu RPC connection cannot be re-established based on TLS
    session.  Every connection attempt leads to negotiating a new connection
    from scratch since the client should have been calling SSL_set_session()
    explicitly to use a TLS session to re-establish previously used
    connection.  Disabling the TLS session cache on both sides helps to
    spare a bit of memory and CPU needed to maintain the cache otherwise.
    
    Change-Id: I471b2c9dd3a406bb3604d86d28b5977289af2b09
    Reviewed-on: http://gerrit.cloudera.org:8080/17197
    Tested-by: Alexey Serbin <aser...@cloudera.com>
    Reviewed-by: Grant Henke <granthe...@apache.org>
    Reviewed-by: Attila Bukor <abu...@apache.org>
---
 src/kudu/security/tls_context.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/kudu/security/tls_context.cc b/src/kudu/security/tls_context.cc
index e32e78a..0ba7053 100644
--- a/src/kudu/security/tls_context.cc
+++ b/src/kudu/security/tls_context.cc
@@ -189,6 +189,15 @@ Status TlsContext::Init() {
 
   SSL_CTX_set_options(ctx_.get(), options);
 
+  // Disable the TLS session cache on both the client and server sides. In Kudu
+  // RPC, connections are not re-established based on TLS sessions anyway. 
Every
+  // connection attempt from a client to a server results in a new connection
+  // negotiation. Disabling the TLS session cache helps to avoid using extra
+  // resources to store TLS session information and running the automatic check
+  // for expired sessions every 255 connections, as mentioned at
+  // 
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_session_cache_mode.html
+  SSL_CTX_set_session_cache_mode(ctx_.get(), SSL_SESS_CACHE_OFF);
+
   OPENSSL_RET_NOT_OK(
       SSL_CTX_set_cipher_list(ctx_.get(), tls_ciphers_.c_str()),
       "failed to set TLS ciphers");

Reply via email to