Add TLS 1.3 session resumption to OpenSSL backend#5072
Open
sauwming wants to merge 2 commits into
Open
Conversation
Implement client-side session resumption and server-side ticket issuance in the OpenSSL secure socket backend, controlled by a new opt-in param pj_ssl_sock_param.enable_session_reuse (default off). TLS 1.3 delivers the resumption ticket via a NewSessionTicket message after the handshake, and each outgoing connection uses its own SSL_CTX, so captured sessions are held in a process-global, mutex-protected cache keyed by server name (SSL_CTX_sess_set_new_cb + SSL_set_session). The same flag re-enables server-side ticket issuance, which was previously always disabled. - ssl_sock.h/config.h: new enable_session_reuse param, session_reused info field, and PJ_SSL_SOCK_OSSL_SESS_CACHE_SIZE (default 64). - ssl_sock_ossl.c: session cache, new-session callback, and injection; gate server ticket disabling on the flag. - ssl_sock_imp_common.c: report session_reused via SSL_session_reused(). - pjlib-test/ssl_sock.c: session_reuse_test() verifies a second connection resumes the cached session. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds opt-in TLS session resumption support to PJLIB’s OpenSSL secure-socket backend by caching client sessions per server_name and allowing the server side to issue TLS session tickets (including TLS 1.3), plus a pjlib-test that validates “full handshake then resumed handshake”.
Changes:
- Introduces
pj_ssl_sock_param.enable_session_reuse(default off) and exposespj_ssl_sock_info.session_reused. - Implements a process-global, mutex-protected OpenSSL
SSL_SESSIONcache keyed byserver_name, with MRU/LRU eviction and atexit cleanup. - Adds an OpenSSL-only pjlib-test that creates a ticket-issuing TLS 1.3 server and asserts the 2nd client connection resumes.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
pjlib/src/pjlib-test/ssl_sock.c |
Adds TLS 1.3 session resumption test coverage for the OpenSSL backend. |
pjlib/src/pj/ssl_sock_ossl.c |
Implements session caching + injection and gates server ticket disabling behind the new flag. |
pjlib/src/pj/ssl_sock_imp_common.c |
Populates info.session_reused for established OpenSSL connections. |
pjlib/include/pj/ssl_sock.h |
Adds new API fields for enabling session reuse and reporting reuse status. |
pjlib/include/pj/config.h |
Adds configurable OpenSSL session cache size macro. |
Comment on lines
+717
to
+721
| if (ssock && ssock->param.server_name.slen) { | ||
| sess_cache_store(&ssock->param.server_name, sess); | ||
| return 1; | ||
| } | ||
| return 0; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds TLS session resumption to the OpenSSL secure-socket backend, controlled by a new opt-in param
pj_ssl_sock_param.enable_session_reuse(default off).Previously every outgoing TLS connection performed a full handshake and the server side actively disabled session tickets. TLS 1.3 delivers the resumption ticket via a
NewSessionTicketmessage after the handshake, and each outgoing connection uses its ownSSL_CTX, so captured sessions are held in a process-global, mutex-protected cache keyed by server name and re-injected on the next connection to the same host.When
enable_session_reuseis set:server_name(viaSSL_CTX_sess_set_new_cb) and resumes them (SSL_set_session), avoiding a full handshake.Changes
ssl_sock.h/config.h: newenable_session_reuseparam,session_reusedinfo field, andPJ_SSL_SOCK_OSSL_SESS_CACHE_SIZE(default 64).ssl_sock_ossl.c: session cache + helpers (correctSSL_SESSIONref-counting, LRU eviction,pj_atexitcleanup for ASan), new-session callback, session injection inssl_create, and gating of server ticket disabling on the flag. Guarded to OpenSSL ≥ 1.1.0.ssl_sock_imp_common.c: populateinfo.session_reusedviaSSL_session_reused().pjlib-test/ssl_sock.c:session_reuse_test()opens a ticket-issuing server and makes two client connections, asserting the first is a full handshake and the second resumes.Testing
-Wall) against OpenSSL 3.4.1.pjlib+pjlib-testbuild and link cleanly.session_reuse_testruns as part ofpjlib-test ssl_sockin OpenSSL-enabled builds (e.g. CI).Notes
server_name(e.g. connecting by IP) → resumption is skipped.pjsip_tls_settingin this change; lives at the pjlibpj_ssl_socklevel.