For example, I develope email client. I know that some servers, for example, imap.gmail.com, cache SSL sessions. So I want reuse SSL sessions (from cache on my side) to reduce server load.
例如,我开发了电子邮件客户端。我知道有些服务器,例如imap.gmail.com,可以缓存SSL会话。所以我希望重用SSL会话(来自我这边的缓存)来减少服务器负载。
I use boost::asio as network engine. Questions are:
我使用boost :: asio作为网络引擎。问题是:
- if boost::asio::ssl::stream doesn't use the ssl-session-cache, how can I enable it?
- 如果boost :: asio :: ssl :: stream不使用ssl-session-cache,我该如何启用它?
- if boost::asio::ssl::stream use the ssl-session-cache, how can I turn it off? :)
- 如果boost :: asio :: ssl :: stream使用ssl-session-cache,我怎么能把它关闭? :)
1 个解决方案
#1
3
boost::asio does not support ssl-session caching mechanism directly. But, as boost::asio::ssl::stream keeps SSL_SESSION object (from the openssl library) inside, it is easy to do manually.
boost :: asio不直接支持ssl-session缓存机制。但是,由于boost :: asio :: ssl :: stream保留了SSL_SESSION对象(来自openssl库),因此很容易手动完成。
An implementation could be as follows:
实施可以如下:
boost::asio::io_service io;
boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23_client);
boost::asio::ssl::stream<boost::asio::ip::tcp::socket> backend(io, ctx);
// need some object that will store the cache
std::map<std::string, SSL_SESSION*> ssl_cache;
// add session to the cache after a successful connection
SSL_SESSION *session = SSL_get1_session(backend.native_handle());
ssl_cache[host] = session;
// before a new connection to the 'host', check the cache
auto cached_session = ssl_cache.find(host);
if (cached_session != ssl_cache.end())
{
SSL_SESSION *session = cached_session->second;
SSL_set_session(backend.native_handle(), session);
}
// after a connection can check if ssl-session was reused
if (SSL_session_reused(backend.native_handle()))
{
// reused
}
It is important that this approach supports both caching mechanism:
这种方法支持两种缓存机制非常重要:
- ssl-tickets (RFC 5077)
- ssl-tickets(RFC 5077)
- session identifiers (RFC 5246)
- 会话标识符(RFC 5246)
#1
3
boost::asio does not support ssl-session caching mechanism directly. But, as boost::asio::ssl::stream keeps SSL_SESSION object (from the openssl library) inside, it is easy to do manually.
boost :: asio不直接支持ssl-session缓存机制。但是,由于boost :: asio :: ssl :: stream保留了SSL_SESSION对象(来自openssl库),因此很容易手动完成。
An implementation could be as follows:
实施可以如下:
boost::asio::io_service io;
boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23_client);
boost::asio::ssl::stream<boost::asio::ip::tcp::socket> backend(io, ctx);
// need some object that will store the cache
std::map<std::string, SSL_SESSION*> ssl_cache;
// add session to the cache after a successful connection
SSL_SESSION *session = SSL_get1_session(backend.native_handle());
ssl_cache[host] = session;
// before a new connection to the 'host', check the cache
auto cached_session = ssl_cache.find(host);
if (cached_session != ssl_cache.end())
{
SSL_SESSION *session = cached_session->second;
SSL_set_session(backend.native_handle(), session);
}
// after a connection can check if ssl-session was reused
if (SSL_session_reused(backend.native_handle()))
{
// reused
}
It is important that this approach supports both caching mechanism:
这种方法支持两种缓存机制非常重要:
- ssl-tickets (RFC 5077)
- ssl-tickets(RFC 5077)
- session identifiers (RFC 5246)
- 会话标识符(RFC 5246)