dnsdist: Add a setting to control the number of stored sessions

pdns/dnsdist-lua.cc

@@ -1541,6 +1541,10 @@ void setupLuaConfig(bool client)
           if (vars->count("sessionTickets")) {
             frontend->d_enableTickets = boost::get<bool>((*vars)["sessionTickets"]);
           }
+
+          if (vars->count("numberOfStoredSessions")) {
+            frontend->d_maxStoredSessions = boost::get<int>((*vars)["numberOfStoredSessions"]);
+          }
         }
 
         try {

pdns/dnsdistdist/docs/reference/config.rst

@@ -92,6 +92,8 @@ Listen Sockets
   .. versionchanged:: 1.3.1
     ``certFile(s)`` and ``keyFile(s)`` parameters accept a list of files.
     ``sessionTickets`` option added.
+  .. versionchanged:: 1.3.3
+    ``numberOfStoredSessions`` option added.
 
   Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate.
 
@@ -113,6 +115,7 @@ Listen Sockets
   * ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
   * ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h).
   * ``sessionTickets``: bool - Whether session resumption via session tickets is enabled. Default is true, meaning tickets are enabled.
+  * ``numberOfStoredSessions``: int - The maximum number of sessions kept in memory at the same time. At this time this is only supported by the OpenSSL provider, as stored sessions are not supported with the GnuTLS one. Default is 20480. Setting this value to 0 disables stored session entirely.
 
 .. function:: setLocal(address[, options])
 

pdns/dnsdistdist/tcpiohandler.cc

@@ -394,15 +394,22 @@ class OpenSSLTLSIOCtx: public TLSCtx
       throw std::runtime_error("Error creating TLS context on " + fe.d_addr.toStringWithPort());
     }
 
-    /* use the internal built-in cache to store sessions */
-    SSL_CTX_set_session_cache_mode(d_tlsCtx, SSL_SESS_CACHE_SERVER);
     /* use our own ticket keys handler so we can rotate them */
     SSL_CTX_set_tlsext_ticket_key_cb(d_tlsCtx, &OpenSSLTLSIOCtx::ticketKeyCb);
     SSL_CTX_set_ex_data(d_tlsCtx, s_ticketsKeyIndex, this);
     SSL_CTX_set_options(d_tlsCtx, sslOptions);
 #if defined(SSL_CTX_set_ecdh_auto)
     SSL_CTX_set_ecdh_auto(d_tlsCtx, 1);
 #endif
+    if (fe.d_maxStoredSessions == 0) {
+      /* disable stored sessions entirely */
+      SSL_CTX_set_session_cache_mode(d_tlsCtx, SSL_SESS_CACHE_OFF);
+    }
+    else {
+      /* use the internal built-in cache to store sessions */
+      SSL_CTX_set_session_cache_mode(d_tlsCtx, SSL_SESS_CACHE_SERVER);
+      SSL_CTX_sess_set_cache_size(d_tlsCtx, fe.d_maxStoredSessions);
+    }
 
     for (const auto& pair : fe.d_certKeyPairs) {
       if (SSL_CTX_use_certificate_chain_file(d_tlsCtx, pair.first.c_str()) != 1) {

pdns/dnsdistdist/tcpiohandler.hh

@@ -135,6 +135,7 @@ public:
   std::string d_interface;
   std::string d_ticketKeyFile;
 
+  size_t d_maxStoredSessions{20480};
   time_t d_ticketsKeyRotationDelay{43200};
   int d_tcpFastOpenQueueSize{0};
   uint8_t d_numberOfTicketsKeys{5};