SSL cache part 2 #287
SSL cache part 2 #287
Conversation
There was a problem hiding this comment.
SSL: error message default in object caching API.
LGTM.
SSL: encrypted certificate keys are exempt from object caching.
The change looks fine, but I have some concerns:
- I wonder if it is possible to restrict the effect to the keys that actually require passphrases. Is it even worth trying?
- Do we know if the configurations that prompted the SSL cache work use
ssl_password_file? Would that regress the configuration load time for them?
SSL: caching certificates and certificate keys with variables.
Upstream: caching certificates and certificate keys with variables.
Not done looking through these, some preliminary comments:
I'm not sure if it's worth introducing both valid and inactivity with a proactive expiration logic. If I understand the intention, open file cache has both to avoid wasting a limited resource — file descriptors. Here we can allow keeping a stale cert in memory to simplify the implementation.
Actually, it doesn't belong to this series and should be fixed separately, preferably prior to the next release. |
99372a8 to
fd894b3
Compare
That's a good point.
I'm not aware of how encrypted keys are widely used. We can think about it later, if such requested arise. |
I'd rather compare this to shared SSL sessions that have a similar expiration logic. Though, I don't see a strong effect from using it here, and it somewhat duplicates the "valid=" time, so it may have sense to rethink this parameter. |
fd894b3 to
498aae0
Compare
|
Changes:
|
|
Changes:
|
|
Most notably, this change reuses ngx_file_info() and improves its error handling; improves cache policy for runtime objects. |
|
First, a general note: I feel like the logic in the dynamic cache introduction is getting too complex for a single commit. I've read the latest changes, and I disagree with equating the ability to revalidate an already cached entry with the ability to cache.
I wonder if you have any other potential uses for |
8970dba to
19a39f1
Compare
|
Merged fixup commits to use as a new baseline. |
19a39f1 to
15348cb
Compare
|
Rebase. |
Memory based objects are always inherited, engine based objects are never inherited to adhere the volatile nature of engines, file based objects are inherited subject to modification time and file index. The previous behaviour to bypass cache from the old configuration cycle is preserved with a new directive "ssl_object_cache_inheritable off;".
15348cb to
502b89b
Compare
|
Addressed @bavshin-f5 comments. |
502b89b to
b16199d
Compare
|
Addressed @bavshin-f5 comments.
|
SSL object cache, as previously introduced in 1.27.2, did not take into account encrypted certificate keys that might be unexpectedly fetched from the cache regardless of the matching passphrase. To avoid this, caching of encrypted certificate keys is now disabled based on the passphrase callback invocation. A notable exception is encrypted certificate keys configured without ssl_password_file. They are loaded once resulting in the passphrase prompt on startup and reused in other contexts as applicable.
A new directive "ssl_certificate_cache max=N [valid=time] [inactive=time]" enables caching of SSL certificate chain and secret key objects specified by "ssl_certificate" and "ssl_certificate_key" directives with variables. Co-authored-by: Aleksei Bavshin <[email protected]>
Revalidation is based on file modification time and uniq file index, and happens after the cache object validity time is expired.
Caching is enabled with proxy_ssl_certificate_cache and friends. Co-authored-by: Aleksei Bavshin <[email protected]>
This can happen with certificates and certificate keys specified with variables due to partial cache update in various scenarios: - cache expiration with only one element of pair evicted - on-disk update with non-cacheable encrypted keys - non-atomic on-disk update The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.
b16199d to
dc54502
Compare
|
password callback fixes:
|
See commits.