@@ -138,6 +138,12 @@ __ustream_ssl_context_new(bool server)
mbedtls_x509_crt_init(&ctx->cert);
mbedtls_x509_crt_init(&ctx->ca_cert);
+#if defined(MBEDTLS_SSL_CACHE_C)
+ mbedtls_ssl_cache_init(&ctx->cache);
+ mbedtls_ssl_cache_set_timeout(&ctx->cache, 30 * 60);
+ mbedtls_ssl_cache_set_max_entries(&ctx->cache, 5);
+#endif
+
conf = &ctx->conf;
mbedtls_ssl_config_init(conf);
@@ -154,6 +160,11 @@ __ustream_ssl_context_new(bool server)
mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(conf, _urandom, NULL);
+#if defined(MBEDTLS_SSL_CACHE_C)
+ mbedtls_ssl_conf_session_cache(conf, &ctx->cache,
+ mbedtls_ssl_cache_get,
+ mbedtls_ssl_cache_set);
+#endif
return ctx;
}
@@ -214,6 +225,9 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
__hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
{
+#if defined(MBEDTLS_SSL_CACHE_C)
+ mbedtls_ssl_cache_free(&ctx->cache);
+#endif
mbedtls_pk_free(&ctx->key);
mbedtls_x509_crt_free(&ctx->ca_cert);
mbedtls_x509_crt_free(&ctx->cert);
@@ -28,11 +28,18 @@
#include <mbedtls/version.h>
#include <mbedtls/entropy.h>
+#if defined(MBEDTLS_SSL_CACHE_C)
+#include <mbedtls/ssl_cache.h>
+#endif
+
struct ustream_ssl_ctx {
mbedtls_ssl_config conf;
mbedtls_pk_context key;
mbedtls_x509_crt ca_cert;
mbedtls_x509_crt cert;
+#if defined(MBEDTLS_SSL_CACHE_C)
+ mbedtls_ssl_cache_context cache;
+#endif
bool server;
};
This allows the client to reuse the settings from a previous session and no full key exchange is needed. The partially key exchange takes less than 0.1 seconds compared to over a second needed for a full key exchange. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> --- ustream-mbedtls.c | 14 ++++++++++++++ ustream-mbedtls.h | 7 +++++++ 2 files changed, 21 insertions(+)