[ https://issues.apache.org/jira/browse/TS-3687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-3687: ------------------------------ Fix Version/s: (was: 6.0.0) 6.1.0 > ATS Session Cache table never removes expired sessions > ------------------------------------------------------ > > Key: TS-3687 > URL: https://issues.apache.org/jira/browse/TS-3687 > Project: Traffic Server > Issue Type: Bug > Components: SSL > Reporter: Susan Hinrichs > Assignee: Susan Hinrichs > Fix For: 6.1.0 > > > While this sounds bad, it is only a performance issue. It is not a security > issue. Openssl will not allow the expired sessions to be used. > Here are the details. > When you use the ATS version of the ssl session cache, ATS registers > callbacks to handle creating new sessions, getting existing sessions, > and removing old sessions. While debugging the new session plugin API, > I saw that the new sessions and get session callbacks were being > triggered but the remove session callback was never being triggered. > At first I was concerned that we were never removing sessions from the > cache and reusing them forever. I poked through the openssl 1.0.1 (and > briefly the 1.0.2) code and set some break points, and verified that the > stale sessions are being rejected but the code only tries to remove it > from the openssl internal cache implementation (which failed and so the > remove callback was never triggered). > So I think this is only a performance problem. The old session cache is > never removed from the ATS session cache until we run out of space and > the old values are evicted. -- This message was sent by Atlassian JIRA (v6.3.4#6332)