Add small client TLS PSK cache (#14039)

This commit is contained in:
Klaus Post 2022-01-06 11:34:02 -08:00 committed by GitHub
parent 0d3ae3810f
commit 3d66d053c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 20 additions and 10 deletions

View File

@ -118,6 +118,9 @@ const (
// diskMinInodes is the minimum number of inodes we want free on a disk to perform writes.
diskMinInodes = 1000
// tlsClientSessionCacheSize is the cache size for client sessions.
tlsClientSessionCacheSize = 100
)
var globalCLIContext = struct {

View File

@ -184,12 +184,14 @@ func serverHandleCmdArgs(ctx *cli.Context) {
RootCAs: globalRootCAs,
CipherSuites: fips.CipherSuitesTLS(),
CurvePreferences: fips.EllipticCurvesTLS(),
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, rest.DefaultTimeout)()
globalProxyEndpoints = GetProxyEndpoints(globalEndpoints)
globalInternodeTransport = newInternodeHTTPTransport(&tls.Config{
RootCAs: globalRootCAs,
CipherSuites: fips.CipherSuitesTLS(),
CurvePreferences: fips.EllipticCurvesTLS(),
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, rest.DefaultTimeout)()
// On macOS, if a process already listens on LOCALIPADDR:PORT, net.Listen() falls back

View File

@ -1643,6 +1643,7 @@ func newRemoteClusterHTTPTransport() *http.Transport {
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{
RootCAs: globalRootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
},
}
return tr

View File

@ -418,6 +418,7 @@ func getUpdateTransport(timeout time.Duration) http.RoundTripper {
ExpectContinueTimeout: timeout,
TLSClientConfig: &tls.Config{
RootCAs: globalRootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
},
DisableCompression: true,
}

View File

@ -614,6 +614,7 @@ func NewGatewayHTTPTransport() *http.Transport {
func newGatewayHTTPTransport(timeout time.Duration) *http.Transport {
tr := newCustomHTTPTransport(&tls.Config{
RootCAs: globalRootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}, defaultDialTimeout)()
// Customize response header timeout for gateway transport.
@ -640,6 +641,7 @@ func NewRemoteTargetHTTPTransport() *http.Transport {
ExpectContinueTimeout: 5 * time.Second,
TLSClientConfig: &tls.Config{
RootCAs: globalRootCAs,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
},
// Go net/http automatically unzip if content-type is
// gzip disable this feature, as we are always interested
@ -1135,6 +1137,7 @@ func newTLSConfig(getCert certs.GetCertificateFunc) *tls.Config {
MinVersion: tls.VersionTLS12,
NextProtos: []string{"http/1.1", "h2"},
GetCertificate: getCert,
ClientSessionCache: tls.NewLRUClientSessionCache(tlsClientSessionCacheSize),
}
tlsClientIdentity := env.Get(xtls.EnvIdentityTLSEnabled, "") == config.EnableOn