From: Eric Hodel Date: 2011-11-10T11:04:28+09:00 Subject: [ruby-core:40901] Re: [ruby-trunk - Feature #5341] Add SSL session reuse to Net::HTTP On Oct 26, 2011, at 6:06 AM, Hiroshi Nakamura wrote: > On 10/26/2011 11:39 AM, Eric Hodel wrote: >> Net::HTTP objects can be reused. You may start and finish a >> connection as many times as you like (the net-http-persistent gem >> works this way). > > OK, so it's just I was wrong. I felt that I saw an issue for > restarting Net::HTTP with #start after #finish, but I cannot find a > ticket. I'm just confusing it with another issue. Either it's > already fixed. > >> Currently the SSLSession can only be initialized once due to >> OpenSSL restrictions. To change the values you must make a new >> Net::HTTP object, so I think changing this behavior (if it is >> needed) is a separate issue. > > SSLSocket --<>> SSLContext <<>-- Session > <> A > | | > +------------------------------+ > > You can't modify SSLContext after you create SSLSocket. You must > create new SSLContext for new SSLSocket if you need to update ssl > params. It might conflict with semantics of Net::HTTP object, thought > I don't have any idea what Net::HTTP object should know. With net/http in 1.9.3, modifying SSL parameters after Net::HTTP#start has no effect. Adding it as a new feature is not difficult, though (delete two lines). It does not cause any conflicts for Net::HTTP that I can see. >> I will update the patch to check for the timeout, I did not know it >> existed. > > OpenSSL has a client session cache in SSLContext but it's not so > useful because you need to keep Sessions by yourself, and pick proper > Session for each server. Here's a sample usage of client session cache: > > https://github.com/nahi/httpclient/commit/7fc04933961ea3ea5a2aa595172ca7cd29a718f5 > > You would want to implement session cache instead. I think enabling the session cache is useless for net/http because it is single-connection oriented. Instead, just using an ivar to store the session is OK. In http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html, enabling SSL_SESS_CACHE_CLIENT says: > Client sessions are added to the session cache. As there is no reliable way for the OpenSSL library to know whether a session should be reused or which session to choose (due to the abstract BIO layer the SSL engine does not have details about the connection), the application must select the session to be reused by using the SSL_set_session(3) function. This option is not activated by default. I think for net/http the client session cache is useless. net/http only connects to one server per instance and will only have one context alive at a time, so the cache will not hold more than one session at a time. Instead of jumping through the hoops of the client session cache (cache-managing class, callbacks) it will be easier to store the session in an instance variable after connect() and SSL negotiation (since there can only ever be one item in the cache for net/http) and apply the session from the ivar via SSL_set_session (SSLSocket#session=) when we call connect() again. According to SSL_SESS_CACHE_CLIENT we need to do the manual set anyways, so I don't think we should bother with a lot of work to store one thing when an instance variable works just fine. I think for httpclient the cache makes more sense because it manages multiple connections in a single instance. > FYI: In contrast to the client session cache, the server session cache > is very useful and everyone should use it whenever you need a server > session cache. Agreed! Fortunately it is the default.