astelm
/
telemt
mirror of https://github.com/telemt/telemt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

TLS FC TTL Improvements

This commit is contained in:
Alexey 2026-02-23 05:48:55 +03:00
parent b5d0564f2a
commit 4011812fda
No known key found for this signature in database
2 changed files with 10 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/proxy/handshake.rs
View File

@ -121,7 +121,6 @@ where
let cached_entry = cache.get(&selected_domain).await; let cached_entry = cache.get(&selected_domain).await;
let use_full_cert_payload = cache let use_full_cert_payload = cache
.take_full_cert_budget_for_ip( .take_full_cert_budget_for_ip(
&selected_domain,
peer.ip(), peer.ip(),
Duration::from_secs(config.censorship.tls_full_cert_ttl_secs), Duration::from_secs(config.censorship.tls_full_cert_ttl_secs),
) )

22
src/tls_front/cache.rs
View File

@ -15,7 +15,7 @@ use crate::tls_front::types::{CachedTlsData, ParsedServerHello, TlsFetchResult};
pub struct TlsFrontCache { pub struct TlsFrontCache {
memory: RwLock<HashMap<String, Arc<CachedTlsData>>>, memory: RwLock<HashMap<String, Arc<CachedTlsData>>>,
default: Arc<CachedTlsData>, default: Arc<CachedTlsData>,
full_cert_sent: RwLock<HashMap<(String, IpAddr), Instant>>, full_cert_sent: RwLock<HashMap<IpAddr, Instant>>,
disk_path: PathBuf, disk_path: PathBuf,
} }
@ -62,11 +62,10 @@ impl TlsFrontCache {
self.memory.read().await.contains_key(domain) self.memory.read().await.contains_key(domain)
} }
/// Returns true when full cert payload should be sent for (domain, client_ip) /// Returns true when full cert payload should be sent for client_ip
/// according to TTL policy. /// according to TTL policy.
pub async fn take_full_cert_budget_for_ip( pub async fn take_full_cert_budget_for_ip(
&self, &self,
domain: &str,
client_ip: IpAddr, client_ip: IpAddr,
ttl: Duration, ttl: Duration,
) -> bool { ) -> bool {
@ -74,7 +73,7 @@ impl TlsFrontCache {
self.full_cert_sent self.full_cert_sent
.write() .write()
.await .await
.insert((domain.to_string(), client_ip), Instant::now()); .insert(client_ip, Instant::now());
return true; return true;
} }
@ -82,8 +81,7 @@ impl TlsFrontCache {
let mut guard = self.full_cert_sent.write().await; let mut guard = self.full_cert_sent.write().await;
guard.retain(|_, seen_at| now.duration_since(*seen_at) < ttl); guard.retain(|_, seen_at| now.duration_since(*seen_at) < ttl);
let key = (domain.to_string(), client_ip); match guard.get_mut(&client_ip) {
match guard.get_mut(&key) {
Some(seen_at) => { Some(seen_at) => {
if now.duration_since(*seen_at) >= ttl { if now.duration_since(*seen_at) >= ttl {
*seen_at = now; *seen_at = now;
@ -93,7 +91,7 @@ impl TlsFrontCache {
} }
} }
None => { None => {
guard.insert(key, now); guard.insert(client_ip, now);
true true
} }
} }
@ -223,16 +221,16 @@ mod tests {
let ttl = Duration::from_millis(80); let ttl = Duration::from_millis(80);
assert!(cache assert!(cache
.take_full_cert_budget_for_ip("example.com", ip, ttl) .take_full_cert_budget_for_ip(ip, ttl)
.await); .await);
assert!(!cache assert!(!cache
.take_full_cert_budget_for_ip("example.com", ip, ttl) .take_full_cert_budget_for_ip(ip, ttl)
.await); .await);
tokio::time::sleep(Duration::from_millis(90)).await; tokio::time::sleep(Duration::from_millis(90)).await;
assert!(cache assert!(cache
.take_full_cert_budget_for_ip("example.com", ip, ttl) .take_full_cert_budget_for_ip(ip, ttl)
.await); .await);
} }
@ -247,10 +245,10 @@ mod tests {
let ttl = Duration::ZERO; let ttl = Duration::ZERO;
assert!(cache assert!(cache
.take_full_cert_budget_for_ip("example.com", ip, ttl) .take_full_cert_budget_for_ip(ip, ttl)
.await); .await);
assert!(cache assert!(cache
.take_full_cert_budget_for_ip("example.com", ip, ttl) .take_full_cert_budget_for_ip(ip, ttl)
.await); .await);
} }
} }