TLS: Session caching configuration support. (#7420)
* TLS: Session caching configuration support. * TLS: Remove redundant config initialization.
This commit is contained in:
Yossi Gottlieb
GitHub
parent
5266293a0f
commit
3e6f2b1a45
2
TLS.md
2
TLS.md
|
|
@ -68,8 +68,6 @@ but there are probably other good reasons to improve that part anyway.
|
||||||
To-Do List
|
To-Do List
|
||||||
----------
|
----------
|
||||||
|
|
||||||
- [ ] Add session caching support. Check if/how it's handled by clients to
|
|
||||||
assess how useful/important it is.
|
|
||||||
- [ ] redis-benchmark support. The current implementation is a mix of using
|
- [ ] redis-benchmark support. The current implementation is a mix of using
|
||||||
hiredis for parsing and basic networking (establishing connections), but
|
hiredis for parsing and basic networking (establishing connections), but
|
||||||
directly manipulating sockets for most actions. This will need to be cleaned
|
directly manipulating sockets for most actions. This will need to be cleaned
|
||||||
|
|
|
||||||
16
redis.conf
16
redis.conf
|
|
@ -199,6 +199,22 @@ tcp-keepalive 300
|
||||||
#
|
#
|
||||||
# tls-prefer-server-ciphers yes
|
# tls-prefer-server-ciphers yes
|
||||||
|
|
||||||
|
# By default, TLS session caching is enabled to allow faster and less expensive
|
||||||
|
# reconnections by clients that support it. Use the following directive to disable
|
||||||
|
# caching.
|
||||||
|
#
|
||||||
|
# tls-session-caching no
|
||||||
|
|
||||||
|
# Change the default number of TLS sessions cached. A zero value sets the cache
|
||||||
|
# to unlimited size. The default size is 20480.
|
||||||
|
#
|
||||||
|
# tls-session-cache-size 5000
|
||||||
|
|
||||||
|
# Change the default timeout of cached TLS sessions. The default timeout is 300
|
||||||
|
# seconds.
|
||||||
|
#
|
||||||
|
# tls-session-cache-timeout 60
|
||||||
|
|
||||||
################################# GENERAL #####################################
|
################################# GENERAL #####################################
|
||||||
|
|
||||||
# By default Redis does not run as a daemon. Use 'yes' if you need it.
|
# By default Redis does not run as a daemon. Use 'yes' if you need it.
|
||||||
|
|
|
||||||
11
src/config.c
11
src/config.c
|
|
@ -2071,7 +2071,7 @@ static int updateTlsCfg(char *val, char *prev, char **err) {
|
||||||
UNUSED(prev);
|
UNUSED(prev);
|
||||||
UNUSED(err);
|
UNUSED(err);
|
||||||
if (tlsConfigure(&server.tls_ctx_config) == C_ERR) {
|
if (tlsConfigure(&server.tls_ctx_config) == C_ERR) {
|
||||||
*err = "Unable to configure tls-cert-file. Check server logs.";
|
*err = "Unable to update TLS configuration. Check server logs.";
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
return 1;
|
return 1;
|
||||||
|
|
@ -2081,6 +2081,12 @@ static int updateTlsCfgBool(int val, int prev, char **err) {
|
||||||
UNUSED(prev);
|
UNUSED(prev);
|
||||||
return updateTlsCfg(NULL, NULL, err);
|
return updateTlsCfg(NULL, NULL, err);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int updateTlsCfgInt(long long val, long long prev, char **err) {
|
||||||
|
UNUSED(val);
|
||||||
|
UNUSED(prev);
|
||||||
|
return updateTlsCfg(NULL, NULL, err);
|
||||||
|
}
|
||||||
#endif /* USE_OPENSSL */
|
#endif /* USE_OPENSSL */
|
||||||
|
|
||||||
standardConfig configs[] = {
|
standardConfig configs[] = {
|
||||||
|
|
@ -2216,10 +2222,13 @@ standardConfig configs[] = {
|
||||||
|
|
||||||
#ifdef USE_OPENSSL
|
#ifdef USE_OPENSSL
|
||||||
createIntConfig("tls-port", NULL, IMMUTABLE_CONFIG, 0, 65535, server.tls_port, 0, INTEGER_CONFIG, NULL, NULL), /* TCP port. */
|
createIntConfig("tls-port", NULL, IMMUTABLE_CONFIG, 0, 65535, server.tls_port, 0, INTEGER_CONFIG, NULL, NULL), /* TCP port. */
|
||||||
|
createIntConfig("tls-session-cache-size", NULL, MODIFIABLE_CONFIG, 0, INT_MAX, server.tls_ctx_config.session_cache_size, 20*1024, INTEGER_CONFIG, NULL, updateTlsCfgInt),
|
||||||
|
createIntConfig("tls-session-cache-timeout", NULL, MODIFIABLE_CONFIG, 0, INT_MAX, server.tls_ctx_config.session_cache_timeout, 300, INTEGER_CONFIG, NULL, updateTlsCfgInt),
|
||||||
createBoolConfig("tls-cluster", NULL, MODIFIABLE_CONFIG, server.tls_cluster, 0, NULL, NULL),
|
createBoolConfig("tls-cluster", NULL, MODIFIABLE_CONFIG, server.tls_cluster, 0, NULL, NULL),
|
||||||
createBoolConfig("tls-replication", NULL, MODIFIABLE_CONFIG, server.tls_replication, 0, NULL, NULL),
|
createBoolConfig("tls-replication", NULL, MODIFIABLE_CONFIG, server.tls_replication, 0, NULL, NULL),
|
||||||
createBoolConfig("tls-auth-clients", NULL, MODIFIABLE_CONFIG, server.tls_auth_clients, 1, NULL, NULL),
|
createBoolConfig("tls-auth-clients", NULL, MODIFIABLE_CONFIG, server.tls_auth_clients, 1, NULL, NULL),
|
||||||
createBoolConfig("tls-prefer-server-ciphers", NULL, MODIFIABLE_CONFIG, server.tls_ctx_config.prefer_server_ciphers, 0, NULL, updateTlsCfgBool),
|
createBoolConfig("tls-prefer-server-ciphers", NULL, MODIFIABLE_CONFIG, server.tls_ctx_config.prefer_server_ciphers, 0, NULL, updateTlsCfgBool),
|
||||||
|
createBoolConfig("tls-session-caching", NULL, MODIFIABLE_CONFIG, server.tls_ctx_config.session_caching, 1, NULL, updateTlsCfgBool),
|
||||||
createStringConfig("tls-cert-file", NULL, MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.cert_file, NULL, NULL, updateTlsCfg),
|
createStringConfig("tls-cert-file", NULL, MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.cert_file, NULL, NULL, updateTlsCfg),
|
||||||
createStringConfig("tls-key-file", NULL, MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.key_file, NULL, NULL, updateTlsCfg),
|
createStringConfig("tls-key-file", NULL, MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.key_file, NULL, NULL, updateTlsCfg),
|
||||||
createStringConfig("tls-dh-params-file", NULL, MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.dh_params_file, NULL, NULL, updateTlsCfg),
|
createStringConfig("tls-dh-params-file", NULL, MODIFIABLE_CONFIG, EMPTY_STRING_IS_NULL, server.tls_ctx_config.dh_params_file, NULL, NULL, updateTlsCfg),
|
||||||
|
|
|
||||||
|
|
@ -1011,6 +1011,9 @@ typedef struct redisTLSContextConfig {
|
||||||
char *ciphers;
|
char *ciphers;
|
||||||
char *ciphersuites;
|
char *ciphersuites;
|
||||||
int prefer_server_ciphers;
|
int prefer_server_ciphers;
|
||||||
|
int session_caching;
|
||||||
|
int session_cache_size;
|
||||||
|
int session_cache_timeout;
|
||||||
} redisTLSContextConfig;
|
} redisTLSContextConfig;
|
||||||
|
|
||||||
/*-----------------------------------------------------------------------------
|
/*-----------------------------------------------------------------------------
|
||||||
|
|
|
||||||
12
src/tls.c
12
src/tls.c
|
|
@ -148,9 +148,6 @@ void tlsInit(void) {
|
||||||
}
|
}
|
||||||
|
|
||||||
pending_list = listCreate();
|
pending_list = listCreate();
|
||||||
|
|
||||||
/* Server configuration */
|
|
||||||
server.tls_auth_clients = 1; /* Secure by default */
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Attempt to configure/reconfigure TLS. This operation is atomic and will
|
/* Attempt to configure/reconfigure TLS. This operation is atomic and will
|
||||||
|
|
@ -184,6 +181,15 @@ int tlsConfigure(redisTLSContextConfig *ctx_config) {
|
||||||
SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
|
SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
if (ctx_config->session_caching) {
|
||||||
|
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
|
||||||
|
SSL_CTX_sess_set_cache_size(ctx, ctx_config->session_cache_size);
|
||||||
|
SSL_CTX_set_timeout(ctx, ctx_config->session_cache_timeout);
|
||||||
|
SSL_CTX_set_session_id_context(ctx, (void *) "redis", 5);
|
||||||
|
} else {
|
||||||
|
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
|
||||||
|
}
|
||||||
|
|
||||||
int protocols = parseProtocolsConfig(ctx_config->protocols);
|
int protocols = parseProtocolsConfig(ctx_config->protocols);
|
||||||
if (protocols == -1) goto error;
|
if (protocols == -1) goto error;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -78,17 +78,8 @@ start_server {tags {"introspection"}} {
|
||||||
syslog-facility
|
syslog-facility
|
||||||
databases
|
databases
|
||||||
port
|
port
|
||||||
io-threads
|
|
||||||
tls-port
|
tls-port
|
||||||
tls-prefer-server-ciphers
|
io-threads
|
||||||
tls-cert-file
|
|
||||||
tls-key-file
|
|
||||||
tls-dh-params-file
|
|
||||||
tls-ca-cert-file
|
|
||||||
tls-ca-cert-dir
|
|
||||||
tls-protocols
|
|
||||||
tls-ciphers
|
|
||||||
tls-ciphersuites
|
|
||||||
logfile
|
logfile
|
||||||
unixsocketperm
|
unixsocketperm
|
||||||
slaveof
|
slaveof
|
||||||
|
|
@ -100,6 +91,23 @@ start_server {tags {"introspection"}} {
|
||||||
bgsave_cpulist
|
bgsave_cpulist
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if {!$::tls} {
|
||||||
|
append skip_configs {
|
||||||
|
tls-prefer-server-ciphers
|
||||||
|
tls-session-cache-timeout
|
||||||
|
tls-session-cache-size
|
||||||
|
tls-session-caching
|
||||||
|
tls-cert-file
|
||||||
|
tls-key-file
|
||||||
|
tls-dh-params-file
|
||||||
|
tls-ca-cert-file
|
||||||
|
tls-ca-cert-dir
|
||||||
|
tls-protocols
|
||||||
|
tls-ciphers
|
||||||
|
tls-ciphersuites
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
set configs {}
|
set configs {}
|
||||||
foreach {k v} [r config get *] {
|
foreach {k v} [r config get *] {
|
||||||
if {[lsearch $skip_configs $k] != -1} {
|
if {[lsearch $skip_configs $k] != -1} {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue