[openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption
Zi Lin
zi.lin.cs at gmail.com
Tue Jan 5 22:44:32 UTC 2016
Hi OpenSSL devs,
I want to propose a patch that makes OpenSSL compatible with
asynchronous session lookup during session resumption. Currently, the
session lookup expects the session callback to return immediately with
success or failure. Now consider a cluster of hosts that want to pool
the ssl session together to improve session resumption, we would like
the session lookup callback to adopt the asynchronous paradigm of
"cert_cb", i.e. cert_cb can be called repeatedly until cert_cb
finished its job.
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/ssl/s3_srvr.c#L916
Piotr Sikora initiated this project with ideas borrowed from BoringSSL
code base,
and since we have put some efforts to make sure no bug is introduced.
Hence this attached patch to enable "get_session_cb" to return a fake
session pointer that signals the pending session lookup, and the SSL
state machines will adopts such signal to resume the client hello
processing instead of err-out. It's not a small patch since we have
touched multiple aspects of the SSL state machine. But this patch has
been verified in CloudFlare's heavy traffic production environment for quite a
while and we consider it is stable to be used by upstream.
Any feedback is appreciated!
Best,
Zi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl-async-session-lookup.patch
Type: application/octet-stream
Size: 8979 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160105/0e93a367/attachment-0001.obj>
More information about the openssl-dev
mailing list