This is an automated email from the ASF dual-hosted git repository. alexey pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/kudu.git
commit 5966364d4c022507faa7f51e2ffed154ed3bb167 Author: Alexey Serbin <ale...@apache.org> AuthorDate: Wed Mar 17 18:53:03 2021 -0700 [security] turn off TLS session cache As of now, a Kudu RPC connection cannot be re-established based on TLS session. Every connection attempt leads to negotiating a new connection from scratch since the client should have been calling SSL_set_session() explicitly to use a TLS session to re-establish previously used connection. Disabling the TLS session cache on both sides helps to spare a bit of memory and CPU needed to maintain the cache otherwise. Change-Id: I471b2c9dd3a406bb3604d86d28b5977289af2b09 Reviewed-on: http://gerrit.cloudera.org:8080/17197 Tested-by: Alexey Serbin <aser...@cloudera.com> Reviewed-by: Grant Henke <granthe...@apache.org> Reviewed-by: Attila Bukor <abu...@apache.org> --- src/kudu/security/tls_context.cc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/kudu/security/tls_context.cc b/src/kudu/security/tls_context.cc index e32e78a..0ba7053 100644 --- a/src/kudu/security/tls_context.cc +++ b/src/kudu/security/tls_context.cc @@ -189,6 +189,15 @@ Status TlsContext::Init() { SSL_CTX_set_options(ctx_.get(), options); + // Disable the TLS session cache on both the client and server sides. In Kudu + // RPC, connections are not re-established based on TLS sessions anyway. Every + // connection attempt from a client to a server results in a new connection + // negotiation. Disabling the TLS session cache helps to avoid using extra + // resources to store TLS session information and running the automatic check + // for expired sessions every 255 connections, as mentioned at + // https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_session_cache_mode.html + SSL_CTX_set_session_cache_mode(ctx_.get(), SSL_SESS_CACHE_OFF); + OPENSSL_RET_NOT_OK( SSL_CTX_set_cipher_list(ctx_.get(), tls_ciphers_.c_str()), "failed to set TLS ciphers");