From: Sergey Matveev <stargrave@stargrave.org>
Date: Sun, 5 Sep 2021 16:45:09 +0000 (+0300)
Subject: TLS session resumption support
X-Git-Tag: v0.1.0~88
X-Git-Url: http://www.git.stargrave.org/?p=tofuproxy.git;a=commitdiff_plain;h=bcec03384492a541a07bf0ab67c02d5277258752

TLS session resumption support
---

diff --git a/doc/index.texi b/doc/index.texi
index 4080699..62b18bc 100644
--- a/doc/index.texi
+++ b/doc/index.texi
@@ -89,6 +89,8 @@ creating some kind of complex configuration framework.
 
 @item Optionally DANE-EE check is also made for each domain you visit.
 
+@item TLS session resumption is also supported.
+
 @end itemize
 
 @image{dialog,,,Example dialog,.webp}
diff --git a/main.go b/main.go
index ac80e2a..69448ce 100644
--- a/main.go
+++ b/main.go
@@ -46,6 +46,7 @@ var (
 		TLSNextProto:      make(map[string]func(string, *tls.Conn) http.RoundTripper),
 		DialTLSContext:    dialTLS,
 	}
+	sessionCache = tls.NewLRUClientSessionCache(1024)
 
 	CmdDWebP = "dwebp"
 	CmdDJXL  = "djxl"
@@ -60,6 +61,7 @@ func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
 		) error {
 			return verifyCert(host, nil, rawCerts, verifiedChains)
 		},
+		ClientSessionCache: sessionCache,
 	}
 	conn, dialErr := tls.Dial(network, addr, &cfg)
 	if dialErr != nil {
@@ -81,13 +83,17 @@ func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
 		}
 	}
 	connState := conn.ConnectionState()
-	sinkTLS <- fmt.Sprintf(
+	msg := fmt.Sprintf(
 		"%s\t%s %s\t%s",
 		strings.TrimSuffix(addr, ":443"),
 		ucspi.TLSVersion(connState.Version),
 		tls.CipherSuiteName(connState.CipherSuite),
 		spkiHash(connState.PeerCertificates[0]),
 	)
+	if connState.DidResume {
+		msg += "\tresumed"
+	}
+	sinkTLS <- msg
 	return conn, nil
 }