Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

https: reuse TLS sessions in Agent #2228

Closed
wants to merge 1 commit into from
Closed

Conversation

indutny
Copy link
Member

@indutny indutny commented Jul 23, 2015

Fix: #1499

@indutny
Copy link
Member Author

indutny commented Jul 23, 2015

cc @nodejs/crypto @nodejs/collaborators

@brendanashworth brendanashworth added tls Issues and PRs related to the tls subsystem. https Issues or PRs related to the https subsystem. labels Jul 23, 2015
if (options._agentKey && this._tlsSessions[options._agentKey]) {
debug('reuse session for %j', options._agentKey);
options = util._extend({
session: this._tlsSessions[options._agentKey]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If session is the only one being set, maybe it is worth it to just use options.session = options.session || ...?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, but we usually try to avoid changing the objects that are passed to the function.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we already make a copy, that's why I'm asking. :) Not trying to be a stickler - you could say that call and I go back a little bit.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haha, I'd leave it as it is. Performance impact is minimal here.

@brendanashworth
Copy link
Contributor

Can this cause a memory leak for servers that make a lot of TLS connections to different servers?

@indutny
Copy link
Member Author

indutny commented Jul 23, 2015

@brendanashworth good catch! I'll revise it tomorrow

@indutny
Copy link
Member Author

indutny commented Jul 23, 2015

@brendanashworth added limit ;)

@indutny
Copy link
Member Author

indutny commented Jul 23, 2015

Any further comments @brendanashworth ? cc @bnoordhuis @shigeki ;)

@brendanashworth
Copy link
Contributor

@indutny 'tis cool and a great improvement on before :) but I'm not comfortable reviewing, too complicated - no further comments. Can't wait to see this merged!

// Unless server has resumed our existing session
if (!verifyError &&
(!options.session ||
Buffer.compare(options.session, socket.getSession()) !== 0)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW Buffer.compare() is still fairly slow right now and using a manual for-loop in js land is faster.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't there an edge case if socket.getSession() returns null?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, @shigeki !

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After some consideration - I don't think that it might be the case at this point in runtime. But I will add guard just in case.

@shigeki
Copy link
Contributor

shigeki commented Jul 24, 2015

I made several tests with/without resumption against my https server and confirmed this works fine. Good job. I put small comments for fix but LGTM.
It's not an issue but I found that TLSSocket.getPeerCertificate() returns an empty object because a server does not sent Certificate to a client in resumption. It is caused by protocol spec itself but we have to care what information is lost in resumption.

@indutny
Copy link
Member Author

indutny commented Jul 24, 2015

Thanks everyone! May I ask you to take one last look at this before I'll land it?

@indutny
Copy link
Member Author

indutny commented Jul 24, 2015

if (!next)
return false;

return Buffer.compare(session, next) === 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't care if you make this change, but could use return session.equals(next); (assuming they're both buffers).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I'll use next.equals() here.

Fix: nodejs#1499
PR-URL: nodejs#2228
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Trevor Norris <[email protected]>
@indutny
Copy link
Member Author

indutny commented Jul 27, 2015

@trevnorris fixed

@trevnorris
Copy link
Contributor

LGTM

indutny added a commit that referenced this pull request Jul 27, 2015
Fix: #1499
PR-URL: #2228
Reviewed-By: Shigeki Ohtsu <[email protected]>
Reviewed-By: Trevor Norris <[email protected]>
@indutny
Copy link
Member Author

indutny commented Jul 27, 2015

Landed in 2ca5a3d, thank you everyone!

@indutny indutny closed this Jul 27, 2015
@indutny indutny deleted the fix/gh-1499 branch July 27, 2015 18:48
nicolas-moteau added a commit to Orange-OpenSource/node that referenced this pull request Mar 6, 2019
BridgeAR pushed a commit to BridgeAR/node that referenced this pull request Mar 6, 2019
PR-URL: nodejs#26433
Refs: nodejs#2228
Refs: nodejs#4252
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BridgeAR pushed a commit to BridgeAR/node that referenced this pull request Mar 12, 2019
PR-URL: nodejs#26433
Refs: nodejs#2228
Refs: nodejs#4252
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
BridgeAR pushed a commit that referenced this pull request Mar 14, 2019
PR-URL: #26433
Refs: #2228
Refs: #4252
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
https Issues or PRs related to the https subsystem. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants