-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removed unused sessions from SSL_CTX internal cache #101684
Conversation
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones |
This reverts commit 56a308e.
and do we see positive improvements in memory use? I worry the tests we have don't quite reproesent realistic scenario. |
few things:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
CI Failures are unrelated |
* Disable OpenSSL internal SSL_SESSION cache for clients * Attempt no. 2 * Revert "Disable OpenSSL internal SSL_SESSION cache for clients" This reverts commit 56a308e.
/backport to release/8.0-staging |
Started backporting to release/8.0-staging: https://github.com/dotnet/runtime/actions/runs/9036427971 |
* Disable OpenSSL internal SSL_SESSION cache for clients * Attempt no. 2 * Revert "Disable OpenSSL internal SSL_SESSION cache for clients" This reverts commit 56a308e.
Discovered when playing with #101626 and #101552.
OpenSSL keeps an internal cache for TLS sessions so that it can automatically resume previous sessions created via same SSL_CTX objects. We do our own management of TLS session tickets on clients so that we don't try to resume sessions to different hostnames, and we keep exactly one SSL_SESSION object per hostname.
However, the internal OpenSSL cache still keeps track of all the SSL_SESSION objects. A single SSL_CTX object by default will be willing to cache 20 * 1024 objects by default, in my repro, this manifested as up to about 70 MB of "leaked" memory.
The fix is to simply synchronize both caches and remove the SSL_SESSION from SSL_CTX cache when we discard it.