Skip to content

Add TLS context cache

Artem Boldariev requested to merge artem-tlsctx-caching into main

This merge request adds a TLS context object cache implementation. The intention of having this object is manyfold:

  • In the case of client-side contexts: allow reusing the previously created contexts to employ the context-specific TLS session resumption cache. That will enable XoT connection to be reestablished faster and with fewer resources by not going through the full TLS handshake procedure.

  • In the case of server-side contexts: reduce the number of contexts created on startup. That could reduce startup time in a case when there are many listen-on statements referring to a smaller amount of tls statements, especially when ephemeral certificates are involved.

  • The long-term goal is to provide in-memory storage for additional data associated with the certificates, like runtime representation (X509_STORE) of intermediate CA-certificates bundle for Strict TLS/Mutual TLS (ca-file).

Also, it makes managing the TLS contexts (isc_tlsctx_t) within BIND safer because these are just typedefs of a type provided by OpenSSL, and we are not doing reference counting on them for this reason, while TLS context cache object does implement the reference counting.

Closes #3067 (closed)

Edited by Artem Boldariev

Merge request reports