remove support for session id based session resumption (#11157)

Author: duke8253

doc/admin-guide/files/records.yaml.en.rst

@@ -3811,58 +3811,6 @@ SSL Termination
   Setting a value less than or equal to ``0`` effectively disables
   SSL session cache for the origin server.
 
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache INT 2
-
-   Enables the SSL session cache:
-
-   ===== ======================================================================
-   Value Description
-   ===== ======================================================================
-   ``0`` Disables the session cache entirely.
-   ``1`` Enables the session cache using OpenSSL's implementation.
-   ``2`` Default. Enables the session cache using |TS|'s implementation. This
-         implementation should perform much better than the OpenSSL
-         implementation.
-   ===== ======================================================================
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.timeout INT 0
-
-  This configuration specifies the lifetime of SSL session cache
-  entries in seconds. If it is ``0``, then the SSL library will use
-  a default value, typically 300 seconds. Note: This option has no affect
-  when using the |TS| session cache (option ``2`` in
-  ``proxy.config.ssl.session_cache``)
-
-   See :ref:`admin-performance-timeouts` for more discussion on |TS| timeouts.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.auto_clear INT 1
-
-  This will set the OpenSSL auto clear flag. Auto clear is enabled by
-  default with ``1`` it can be disabled by changing this setting to ``0``.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.size INT 102400
-
-  This configuration specifies the maximum number of entries
-  the SSL session cache may contain.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.num_buckets INT 256
-
-  This configuration specifies the number of buckets to use with the
-  |TS| SSL session cache implementation. The TS implementation
-  is a fixed size hash map where each bucket is protected by a mutex.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.skip_cache_on_bucket_contention INT 0
-
-   This configuration specifies the behavior of the |TS| SSL session
-   cache implementation during lock contention on each bucket:
-
-   ===== ======================================================================
-   Value Description
-   ===== ======================================================================
-   ``0`` Default. Don't skip session caching when bucket lock is contented.
-   ``1`` Disable the SSL session cache for a connection during lock contention.
-   ===== ======================================================================
-
 .. ts:cv:: CONFIG proxy.config.ssl.server.session_ticket.enable INT 1
 
   Set to 1 to enable Traffic Server to process TLS tickets for TLS session resumption.

include/iocore/net/TLSSessionResumptionSupport.h

@@ -51,7 +51,6 @@ class TLSSessionResumptionSupport
   bool getSSLOriginSessionCacheHit() const;
   ssl_curve_id getSSLCurveNID() const;
 
-  SSL_SESSION *getSession(SSL *ssl, const unsigned char *id, int len, int *copy);
   std::shared_ptr<SSL_SESSION> getOriginSession(SSL *ssl, const std::string &lookup_key);
 
 protected:

include/ts/ts.h

@@ -1367,11 +1367,6 @@ int TSVConnIsSsl(TSVConn sslp);
 int TSVConnProvidedSslCert(TSVConn sslp);
 const char *TSVConnSslSniGet(TSVConn sslp, int *length);
 
-TSSslSession TSSslSessionGet(const TSSslSessionID *session_id);
-int TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr);
-TSReturnCode TSSslSessionInsert(const TSSslSessionID *session_id, TSSslSession add_session, TSSslConnection ssl_conn);
-TSReturnCode TSSslSessionRemove(const TSSslSessionID *session_id);
-
 /* --------------------------------------------------------------------------
    HTTP transactions */
 void TSHttpTxnHookAdd(TSHttpTxn txnp, TSHttpHookID id, TSCont contp);

src/api/InkAPI.cc

@@ -131,8 +131,6 @@ extern ClassAllocator<FetchSM> FetchSMAllocator;
 /* From proxy/http/HttpProxyServerMain.c: */
 extern bool ssl_register_protocol(const char *, Continuation *);
 
-extern SSLSessionCache *session_cache; // declared extern in P_SSLConfig.h
-
 // External converters.
 extern MgmtConverter const &HttpDownServerCacheTimeConv;
 
@@ -8371,61 +8369,6 @@ TSVConnReenableEx(TSVConn vconn, TSEvent event)
   }
 }
 
-TSSslSession
-TSSslSessionGet(const TSSslSessionID *session_id)
-{
-  SSL_SESSION *session = nullptr;
-  if (session_id && session_cache) {
-    session_cache->getSession(reinterpret_cast<const SSLSessionID &>(*session_id), &session, nullptr);
-  }
-  return reinterpret_cast<TSSslSession>(session);
-}
-
-int
-TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr)
-{
-  int true_len = 0;
-  // Don't get if there is no session id or the cache is not yet set up
-  if (session_id && session_cache && len_ptr) {
-    true_len = session_cache->getSessionBuffer(reinterpret_cast<const SSLSessionID &>(*session_id), buffer, *len_ptr);
-  }
-  return true_len;
-}
-
-TSReturnCode
-TSSslSessionInsert(const TSSslSessionID *session_id, TSSslSession add_session, TSSslConnection ssl_conn)
-{
-  // Don't insert if there is no session id or the cache is not yet set up
-  if (session_id && session_cache) {
-    if (is_debug_tag_set("ssl.session_cache")) {
-      const SSLSessionID *sid = reinterpret_cast<const SSLSessionID *>(session_id);
-      char buf[sid->len * 2 + 1];
-      sid->toString(buf, sizeof(buf));
-      Debug("ssl.session_cache.insert", "TSSslSessionInsert: Inserting session '%s' ", buf);
-    }
-    SSL_SESSION *session = reinterpret_cast<SSL_SESSION *>(add_session);
-    SSL *ssl             = reinterpret_cast<SSL *>(ssl_conn);
-    session_cache->insertSession(reinterpret_cast<const SSLSessionID &>(*session_id), session, ssl);
-    // insertSession returns void, assume all went well
-    return TS_SUCCESS;
-  } else {
-    return TS_ERROR;
-  }
-}
-
-TSReturnCode
-TSSslSessionRemove(const TSSslSessionID *session_id)
-{
-  // Don't remove if there is no session id or the cache is not yet set up
-  if (session_id && session_cache) {
-    session_cache->removeSession(reinterpret_cast<const SSLSessionID &>(*session_id));
-    // removeSession returns void, assume all went well
-    return TS_SUCCESS;
-  } else {
-    return TS_ERROR;
-  }
-}
-
 // APIs for managing and using UUIDs.
 TSUuid
 TSUuidCreate()

src/iocore/net/P_SSLConfig.h

@@ -60,12 +60,6 @@ using init_ssl_ctx_func  = void (*)(void *, bool);
 using load_ssl_file_func = void (*)(const char *);
 
 struct SSLConfigParams : public ConfigInfo {
-  enum SSL_SESSION_CACHE_MODE {
-    SSL_SESSION_CACHE_MODE_OFF                 = 0,
-    SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL = 1,
-    SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL     = 2
-  };
-
   SSLConfigParams();
   ~SSLConfigParams() override;
 
@@ -83,12 +77,6 @@ struct SSLConfigParams : public ConfigInfo {
   int verify_depth;
   int ssl_origin_session_cache;
   int ssl_origin_session_cache_size;
-  int ssl_session_cache; // SSL_SESSION_CACHE_MODE
-  int ssl_session_cache_size;
-  int ssl_session_cache_num_buckets;
-  int ssl_session_cache_skip_on_contention;
-  int ssl_session_cache_timeout;
-  int ssl_session_cache_auto_clear;
 
   char *clientCertPath;
   char *clientCertPathOnly;
@@ -139,9 +127,6 @@ struct SSLConfigParams : public ConfigInfo {
 
   static int origin_session_cache;
   static size_t origin_session_cache_size;
-  static size_t session_cache_number_buckets;
-  static size_t session_cache_max_bucket_size;
-  static bool session_cache_skip_on_lock_contention;
 
   static swoc::IPRangeSet *proxy_protocol_ip_addrs;
 
@@ -263,5 +248,4 @@ struct SSLTicketKeyConfig {
   static int configid;
 };
 
-extern SSLSessionCache *session_cache;
 extern SSLOriginSessionCache *origin_sess_cache;

src/iocore/net/SSLConfig.cc

@@ -52,29 +52,26 @@
 #include "SSLSessionTicket.h"
 #include "iocore/net/YamlSNIConfig.h"
 
-int SSLConfig::config_index                                 = 0;
-int SSLConfig::configids[]                                  = {0, 0};
-int SSLCertificateConfig::configid                          = 0;
-int SSLTicketKeyConfig::configid                            = 0;
-int SSLConfigParams::ssl_maxrecord                          = 0;
-int SSLConfigParams::ssl_misc_max_iobuffer_size_index       = 8;
-bool SSLConfigParams::ssl_allow_client_renegotiation        = false;
-bool SSLConfigParams::ssl_ocsp_enabled                      = false;
-int SSLConfigParams::ssl_ocsp_cache_timeout                 = 3600;
-bool SSLConfigParams::ssl_ocsp_request_mode                 = false;
-int SSLConfigParams::ssl_ocsp_request_timeout               = 10;
-int SSLConfigParams::ssl_ocsp_update_period                 = 60;
-char *SSLConfigParams::ssl_ocsp_user_agent                  = nullptr;
-int SSLConfigParams::ssl_handshake_timeout_in               = 0;
-int SSLConfigParams::origin_session_cache                   = 1;
-size_t SSLConfigParams::origin_session_cache_size           = 10240;
-size_t SSLConfigParams::session_cache_number_buckets        = 1024;
-bool SSLConfigParams::session_cache_skip_on_lock_contention = false;
-size_t SSLConfigParams::session_cache_max_bucket_size       = 100;
-init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb          = nullptr;
-load_ssl_file_func SSLConfigParams::load_ssl_file_cb        = nullptr;
-swoc::IPRangeSet *SSLConfigParams::proxy_protocol_ip_addrs  = nullptr;
-bool SSLConfigParams::ssl_ktls_enabled                      = false;
+int SSLConfig::config_index                                = 0;
+int SSLConfig::configids[]                                 = {0, 0};
+int SSLCertificateConfig::configid                         = 0;
+int SSLTicketKeyConfig::configid                           = 0;
+int SSLConfigParams::ssl_maxrecord                         = 0;
+int SSLConfigParams::ssl_misc_max_iobuffer_size_index      = 8;
+bool SSLConfigParams::ssl_allow_client_renegotiation       = false;
+bool SSLConfigParams::ssl_ocsp_enabled                     = false;
+int SSLConfigParams::ssl_ocsp_cache_timeout                = 3600;
+bool SSLConfigParams::ssl_ocsp_request_mode                = false;
+int SSLConfigParams::ssl_ocsp_request_timeout              = 10;
+int SSLConfigParams::ssl_ocsp_update_period                = 60;
+char *SSLConfigParams::ssl_ocsp_user_agent                 = nullptr;
+int SSLConfigParams::ssl_handshake_timeout_in              = 0;
+int SSLConfigParams::origin_session_cache                  = 1;
+size_t SSLConfigParams::origin_session_cache_size          = 10240;
+init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb         = nullptr;
+load_ssl_file_func SSLConfigParams::load_ssl_file_cb       = nullptr;
+swoc::IPRangeSet *SSLConfigParams::proxy_protocol_ip_addrs = nullptr;
+bool SSLConfigParams::ssl_ktls_enabled                     = false;
 
 const uint32_t EARLY_DATA_DEFAULT_SIZE               = 16384;
 uint32_t SSLConfigParams::server_max_early_data      = 0;
@@ -122,14 +119,7 @@ SSLConfigParams::reset()
   verifyServerProperties                               = YamlSNIConfig::Property::NONE;
   ssl_ctx_options                                      = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
   ssl_client_ctx_options                               = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-  ssl_session_cache                                    = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
-  ssl_session_cache_size                               = 1024 * 100;
-  ssl_session_cache_num_buckets = 1024; // Sessions per bucket is ceil(ssl_session_cache_size / ssl_session_cache_num_buckets)
-  ssl_session_cache_skip_on_contention = 0;
-  ssl_session_cache_timeout            = 0;
-  ssl_session_cache_auto_clear         = 1;
-  configExitOnLoadError                = 1;
-  clientCertExitOnLoadError            = 0;
+  configExitOnLoadError                                = 1;
 }
 
 void
@@ -442,23 +432,9 @@ SSLConfigParams::initialize()
   // SSL session cache configurations
   REC_ReadConfigInteger(ssl_origin_session_cache, "proxy.config.ssl.origin_session_cache.enabled");
   REC_ReadConfigInteger(ssl_origin_session_cache_size, "proxy.config.ssl.origin_session_cache.size");
-  REC_ReadConfigInteger(ssl_session_cache, "proxy.config.ssl.session_cache.value");
-  REC_ReadConfigInteger(ssl_session_cache_size, "proxy.config.ssl.session_cache.size");
-  REC_ReadConfigInteger(ssl_session_cache_num_buckets, "proxy.config.ssl.session_cache.num_buckets");
-  REC_ReadConfigInteger(ssl_session_cache_skip_on_contention, "proxy.config.ssl.session_cache.skip_cache_on_bucket_contention");
-  REC_ReadConfigInteger(ssl_session_cache_timeout, "proxy.config.ssl.session_cache.timeout");
-  REC_ReadConfigInteger(ssl_session_cache_auto_clear, "proxy.config.ssl.session_cache.auto_clear");
 
   SSLConfigParams::origin_session_cache      = ssl_origin_session_cache;
   SSLConfigParams::origin_session_cache_size = ssl_origin_session_cache_size;
-  SSLConfigParams::session_cache_max_bucket_size =
-    static_cast<size_t>(ceil(static_cast<double>(ssl_session_cache_size) / ssl_session_cache_num_buckets));
-  SSLConfigParams::session_cache_skip_on_lock_contention = ssl_session_cache_skip_on_contention;
-  SSLConfigParams::session_cache_number_buckets          = ssl_session_cache_num_buckets;
-
-  if (ssl_session_cache == SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL) {
-    session_cache = new SSLSessionCache();
-  }
 
   if (ssl_origin_session_cache == 1 && ssl_origin_session_cache_size > 0) {
     origin_sess_cache = new SSLOriginSessionCache();