[ruby-core:40901] Re: [ruby-trunk - Feature #5341] Add SSL session reuse to Net::HTTP

< ^ > P N |<>| ^ _>< --- | ~ ...Help
On Oct 26, 2011, at 6:06 AM, Hiroshi Nakamura wrote:
> On 10/26/2011 11:39 AM, Eric Hodel wrote:
>> Net::HTTP objects can be reused.  You may start and finish a
>> connection as many times as you like (the net-http-persistent gem
>> works this way).
>=20
> OK, so it's just I was wrong.  I felt that I saw an issue for
> restarting Net::HTTP with #start after #finish, but I cannot find a
> ticket.  I'm just confusing it with another issue.  Either it's
> already fixed.
>=20
>> Currently the SSLSession can only be initialized once due to
>> OpenSSL restrictions.  To change the values you must make a new
>> Net::HTTP object, so I think changing this behavior (if it is
>> needed) is a separate issue.
>=20
> SSLSocket --<>> SSLContext <<>-- Session
>    <>                              A
>     |                              |
>     +------------------------------+
>=20
> You can't modify SSLContext after you create SSLSocket.  You must
> create new SSLContext for new SSLSocket if you need to update ssl
> params.  It might conflict with semantics of Net::HTTP object, thought
> I don't have any idea what Net::HTTP object should know.

With net/http in 1.9.3, modifying SSL parameters after Net::HTTP#start =
has no effect.  Adding it as a new feature is not difficult, though =
(delete two lines).  It does not cause any conflicts for Net::HTTP that =
I can see.

>> I will update the patch to check for the timeout, I did not know it
>> existed.
>=20
> OpenSSL has a client session cache in SSLContext but it's not so
> useful because you need to keep Sessions by yourself, and pick proper
> Session for each server.  Here's a sample usage of client session =
cache:
>=20
> =
https://github.com/nahi/httpclient/commit/7fc04933961ea3ea5a2aa595172ca7cd=
29a718f5
>=20
> You would want to implement session cache instead.

I think enabling the session cache is useless for net/http because it is =
single-connection oriented.  Instead, just using an ivar to store the =
session is OK.

In http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html, =
enabling SSL_SESS_CACHE_CLIENT says:

> Client sessions are added to the session cache. As there is no =
reliable way for the OpenSSL library to know whether a session should be =
reused or which session to choose (due to the abstract BIO layer the SSL =
engine does not have details about the connection), the application must =
select the session to be reused by using the SSL_set_session(3) =
function. This option is not activated by default.


I think for net/http the client session cache is useless.  net/http only =
connects to one server per instance and will only have one context alive =
at a time, so the cache will not hold more than one session at a time.

Instead of jumping through the hoops of the client session cache =
(cache-managing class, callbacks) it will be easier to store the session =
in an instance variable after connect() and SSL negotiation (since there =
can only ever be one item in the cache for net/http) and apply the =
session from the ivar via SSL_set_session (SSLSocket#session=3D) when we =
call connect() again.

According to SSL_SESS_CACHE_CLIENT we need to do the manual set anyways, =
so I don't think we should bother with a lot of work to store one thing =
when an instance variable works just fine.

I think for httpclient the cache makes more sense because it manages =
multiple connections in a single instance.

> FYI: In contrast to the client session cache, the server session cache
> is very useful and everyone should use it whenever you need a server
> session cache.

Agreed!  Fortunately it is the default.