Add TLS context cache (!5672) · Merge requests · ISC Open Source Projects / BIND

Artem Boldariev requested to merge artem-tlsctx-caching into main Dec 24, 2021

This merge request adds a TLS context object cache implementation. The intention of having this object is manyfold:

In the case of client-side contexts: allow reusing the previously created contexts to employ the context-specific TLS session resumption cache. That will enable XoT connection to be reestablished faster and with fewer resources by not going through the full TLS handshake procedure.
In the case of server-side contexts: reduce the number of contexts created on startup. That could reduce startup time in a case when there are many listen-on statements referring to a smaller amount of tls statements, especially when ephemeral certificates are involved.
The long-term goal is to provide in-memory storage for additional data associated with the certificates, like runtime representation (X509_STORE) of intermediate CA-certificates bundle for Strict TLS/Mutual TLS (ca-file).

Also, it makes managing the TLS contexts (isc_tlsctx_t) within BIND safer because these are just typedefs of a type provided by OpenSSL, and we are not doing reference counting on them for this reason, while TLS context cache object does implement the reference counting.

Closes #3067 (closed)

Edited Dec 29, 2021 by Artem Boldariev

Add TLS context cache

Merge request reports