[jira] [Commented] (TS-3687) ATS Session Cache table never removes expired sessions

Thu, 11 Jun 2015 16:02:27 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14582662#comment-14582662
 ] 

Susan Hinrichs commented on TS-3687:
------------------------------------

Hmm.  Looking more closely at the definition of SSL_CTX_sess_set_remove_cb it 
seems that is is only called in the openssl internal cache case by design, 
unlike the other two session cache callbacks.

https://www.openssl.org/docs/ssl/SSL_CTX_sess_set_get_cb.html

i would argue however that ATS should proactively remove stale sessions.  
Reduce the system exposure for timely sensitive data and reduce the eviction 
pressure on the cache.

> ATS Session Cache table never removes expired sessions
> ------------------------------------------------------
>
>                 Key: TS-3687
>                 URL: https://issues.apache.org/jira/browse/TS-3687
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Susan Hinrichs
>            Assignee: Susan Hinrichs
>
> While this sounds bad, it is only a performance issue.  It is not a security 
> issue.  Openssl will not allow the expired sessions to be used.
> Here are the details.
> When you use the ATS version of the ssl session cache, ATS registers
> callbacks to handle creating new sessions, getting existing sessions,
> and removing old sessions.  While debugging the new session plugin API,
> I saw that the new sessions and get session callbacks were being
> triggered but the remove session callback was never being triggered.
> At first I was concerned that we were never removing  sessions from the
> cache and reusing them forever.  I poked through the openssl 1.0.1 (and
> briefly the 1.0.2) code and set some break points, and verified that the
> stale sessions are being rejected but the code only tries to remove it
> from the openssl internal cache implementation (which failed and so the
> remove callback was never triggered).
> So I think this is only a performance problem.  The old session cache is
> never removed from the ATS session cache until we run out of space and
> the old values are evicted. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to