[ovs-dev] [PATCH 2/2] stream-ssl: Enable SSL session caching.

Ben Pfaff blp at nicira.com
Wed Aug 11 17:24:26 UTC 2010


On Tue, Aug 10, 2010 at 03:22:26PM -0700, Justin Pettit wrote:
> On Aug 9, 2010, at 4:15 PM, Ben Pfaff wrote:
> 
> > +    /* Statistics. */
> > +    COVERAGE_INC(ssl_session);
> > +    if (SSL_session_reused(sslv->ssl)) {
> > +        COVERAGE_INC(ssl_session_reused);
> > +    }
> > +
> > +    /* Delete old session, if any. */
> > +    ssl_flush_session(stream);
> 
> It wasn't immediately clear to me why you would want to flush the
> session when it was just reused.  A bit more explanation might help
> those of us who aren't blessed with being able to spend so much time
> with the OpenSSL library.

OK, I restructured the code here with some comments.

> > +    /* Add new session. */
> > +    session = SSL_get1_session(sslv->ssl);
> > +    if (session) {
> > +        shash_add(&client_sessions, stream_get_name(stream), session);
> > +        if (shash_count(&client_sessions) > MAX_CLIENT_SESSION_CACHE) {
> > +            ssl_delete_session(shash_random_node(&client_sessions));
> > +        }
> > +    }
> 
> Since the cache is relatively small, would it be better to delete a
> random session before adding the new one.  It seems likely that the
> newest entry is most likely to be reused in our setup.

"relatively small" is relative.  I think that most of the time there
will be only one item in the cache, because most ovs-vswitchd and
ovsdb-server instances only connect to one SSL server.  I guess if there
are multiple controllers, then there will be one cached session per
controllers.

Anyway, I changed it to avoid deleting the new session.




More information about the dev mailing list