Merge master into 11-Dev Conflicts are related to: https://github.com/apache/trafficserver/pull/11157

commit: 99499a05d6e2a55b3e6a072b2593c49cf0331130 [log] [tgz]
author: bneradt <bneradt@yahooinc.com> Tue May 07 10:19:54 2024 -0600
committer: bneradt <bneradt@yahooinc.com> Tue May 07 10:42:39 2024 -0600
tree: a43aa9a0aff91850696cc5faaf07354dde12c86e
parent: 6e5d6f2a47da1bac702f8fd749dec62b13adcfc0 [diff]
parent: 607783448efa9c096025504c68d2e4b535c5d4cd [diff]
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8453384..b795424 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt

@@ -20,7 +20,7 @@
 endif()
 
 cmake_minimum_required(VERSION 3.20..3.27)
-project(ats VERSION 10.1.0)
+project(ats VERSION 11.0.0)
 
 set(TS_VERSION_MAJOR ${PROJECT_VERSION_MAJOR})
 set(TS_VERSION_MINOR ${PROJECT_VERSION_MINOR})

diff --git a/doc/admin-guide/files/records.yaml.en.rst b/doc/admin-guide/files/records.yaml.en.rst
index ba94d19..436bd41 100644
--- a/doc/admin-guide/files/records.yaml.en.rst
+++ b/doc/admin-guide/files/records.yaml.en.rst

@@ -3820,58 +3820,6 @@
   Setting a value less than or equal to ``0`` effectively disables
   SSL session cache for the origin server.
 
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache INT 2
-
-   Enables the SSL session cache:
-
-   ===== ======================================================================
-   Value Description
-   ===== ======================================================================
-   ``0`` Disables the session cache entirely.
-   ``1`` Enables the session cache using OpenSSL's implementation.
-   ``2`` Default. Enables the session cache using |TS|'s implementation. This
-         implementation should perform much better than the OpenSSL
-         implementation.
-   ===== ======================================================================
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.timeout INT 0
-
-  This configuration specifies the lifetime of SSL session cache
-  entries in seconds. If it is ``0``, then the SSL library will use
-  a default value, typically 300 seconds. Note: This option has no affect
-  when using the |TS| session cache (option ``2`` in
-  ``proxy.config.ssl.session_cache``)
-
-   See :ref:`admin-performance-timeouts` for more discussion on |TS| timeouts.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.auto_clear INT 1
-
-  This will set the OpenSSL auto clear flag. Auto clear is enabled by
-  default with ``1`` it can be disabled by changing this setting to ``0``.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.size INT 102400
-
-  This configuration specifies the maximum number of entries
-  the SSL session cache may contain.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.num_buckets INT 256
-
-  This configuration specifies the number of buckets to use with the
-  |TS| SSL session cache implementation. The TS implementation
-  is a fixed size hash map where each bucket is protected by a mutex.
-
-.. ts:cv:: CONFIG proxy.config.ssl.session_cache.skip_cache_on_bucket_contention INT 0
-
-   This configuration specifies the behavior of the |TS| SSL session
-   cache implementation during lock contention on each bucket:
-
-   ===== ======================================================================
-   Value Description
-   ===== ======================================================================
-   ``0`` Default. Don't skip session caching when bucket lock is contented.
-   ``1`` Disable the SSL session cache for a connection during lock contention.
-   ===== ======================================================================
-
 .. ts:cv:: CONFIG proxy.config.ssl.server.session_ticket.enable INT 1
 
   Set to 1 to enable Traffic Server to process TLS tickets for TLS session resumption.

diff --git a/include/iocore/net/TLSSessionResumptionSupport.h b/include/iocore/net/TLSSessionResumptionSupport.h
index 5c61055..4088d4f 100644
--- a/include/iocore/net/TLSSessionResumptionSupport.h
+++ b/include/iocore/net/TLSSessionResumptionSupport.h

@@ -52,7 +52,6 @@
   bool         getSSLOriginSessionCacheHit() const;
   ssl_curve_id getSSLCurveNID() const;
 
-  SSL_SESSION                 *getSession(SSL *ssl, const unsigned char *id, int len, int *copy);
   std::shared_ptr<SSL_SESSION> getOriginSession(SSL *ssl, const std::string &lookup_key);
 
 protected:

diff --git a/include/ts/ts.h b/include/ts/ts.h
index 2911d72..5e00fa7 100644
--- a/include/ts/ts.h
+++ b/include/ts/ts.h

@@ -1367,11 +1367,6 @@
 int         TSVConnProvidedSslCert(TSVConn sslp);
 const char *TSVConnSslSniGet(TSVConn sslp, int *length);
 
-TSSslSession TSSslSessionGet(const TSSslSessionID *session_id);
-int          TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr);
-TSReturnCode TSSslSessionInsert(const TSSslSessionID *session_id, TSSslSession add_session, TSSslConnection ssl_conn);
-TSReturnCode TSSslSessionRemove(const TSSslSessionID *session_id);
-
 /* --------------------------------------------------------------------------
    HTTP transactions */
 void      TSHttpTxnHookAdd(TSHttpTxn txnp, TSHttpHookID id, TSCont contp);

diff --git a/src/api/InkAPI.cc b/src/api/InkAPI.cc
index c766b7c..616f836 100644
--- a/src/api/InkAPI.cc
+++ b/src/api/InkAPI.cc

@@ -133,8 +133,6 @@
 /* From proxy/http/HttpProxyServerMain.c: */
 extern bool ssl_register_protocol(const char *, Continuation *);
 
-extern SSLSessionCache *session_cache; // declared extern in P_SSLConfig.h
-
 // External converters.
 extern MgmtConverter const &HttpDownServerCacheTimeConv;
 
@@ -8392,61 +8390,6 @@
   }
 }
 
-TSSslSession
-TSSslSessionGet(const TSSslSessionID *session_id)
-{
-  SSL_SESSION *session = nullptr;
-  if (session_id && session_cache) {
-    session_cache->getSession(reinterpret_cast<const SSLSessionID &>(*session_id), &session, nullptr);
-  }
-  return reinterpret_cast<TSSslSession>(session);
-}
-
-int
-TSSslSessionGetBuffer(const TSSslSessionID *session_id, char *buffer, int *len_ptr)
-{
-  int true_len = 0;
-  // Don't get if there is no session id or the cache is not yet set up
-  if (session_id && session_cache && len_ptr) {
-    true_len = session_cache->getSessionBuffer(reinterpret_cast<const SSLSessionID &>(*session_id), buffer, *len_ptr);
-  }
-  return true_len;
-}
-
-TSReturnCode
-TSSslSessionInsert(const TSSslSessionID *session_id, TSSslSession add_session, TSSslConnection ssl_conn)
-{
-  // Don't insert if there is no session id or the cache is not yet set up
-  if (session_id && session_cache) {
-    if (is_debug_tag_set("ssl.session_cache")) {
-      const SSLSessionID *sid = reinterpret_cast<const SSLSessionID *>(session_id);
-      char                buf[sid->len * 2 + 1];
-      sid->toString(buf, sizeof(buf));
-      Debug("ssl.session_cache.insert", "TSSslSessionInsert: Inserting session '%s' ", buf);
-    }
-    SSL_SESSION *session = reinterpret_cast<SSL_SESSION *>(add_session);
-    SSL         *ssl     = reinterpret_cast<SSL *>(ssl_conn);
-    session_cache->insertSession(reinterpret_cast<const SSLSessionID &>(*session_id), session, ssl);
-    // insertSession returns void, assume all went well
-    return TS_SUCCESS;
-  } else {
-    return TS_ERROR;
-  }
-}
-
-TSReturnCode
-TSSslSessionRemove(const TSSslSessionID *session_id)
-{
-  // Don't remove if there is no session id or the cache is not yet set up
-  if (session_id && session_cache) {
-    session_cache->removeSession(reinterpret_cast<const SSLSessionID &>(*session_id));
-    // removeSession returns void, assume all went well
-    return TS_SUCCESS;
-  } else {
-    return TS_ERROR;
-  }
-}
-
 // APIs for managing and using UUIDs.
 TSUuid
 TSUuidCreate()

diff --git a/src/iocore/net/P_SSLConfig.h b/src/iocore/net/P_SSLConfig.h
index f894cb0..44c3fca 100644
--- a/src/iocore/net/P_SSLConfig.h
+++ b/src/iocore/net/P_SSLConfig.h

@@ -60,12 +60,6 @@
 using load_ssl_file_func = void (*)(const char *);
 
 struct SSLConfigParams : public ConfigInfo {
-  enum SSL_SESSION_CACHE_MODE {
-    SSL_SESSION_CACHE_MODE_OFF                 = 0,
-    SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL = 1,
-    SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL     = 2
-  };
-
   SSLConfigParams();
   ~SSLConfigParams() override;
 
@@ -83,12 +77,6 @@
   int   verify_depth;
   int   ssl_origin_session_cache;
   int   ssl_origin_session_cache_size;
-  int   ssl_session_cache; // SSL_SESSION_CACHE_MODE
-  int   ssl_session_cache_size;
-  int   ssl_session_cache_num_buckets;
-  int   ssl_session_cache_skip_on_contention;
-  int   ssl_session_cache_timeout;
-  int   ssl_session_cache_auto_clear;
 
   char                   *clientCertPath;
   char                   *clientCertPathOnly;
@@ -139,9 +127,6 @@
 
   static int    origin_session_cache;
   static size_t origin_session_cache_size;
-  static size_t session_cache_number_buckets;
-  static size_t session_cache_max_bucket_size;
-  static bool   session_cache_skip_on_lock_contention;
 
   static swoc::IPRangeSet *proxy_protocol_ip_addrs;
 
@@ -263,5 +248,4 @@
   static int configid;
 };
 
-extern SSLSessionCache       *session_cache;
 extern SSLOriginSessionCache *origin_sess_cache;

diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc
index aa02e18..7ed208d 100644
--- a/src/iocore/net/SSLConfig.cc
+++ b/src/iocore/net/SSLConfig.cc

@@ -53,29 +53,26 @@
 #include "SSLSessionTicket.h"
 #include "iocore/net/YamlSNIConfig.h"
 
-int                SSLConfig::config_index                                = 0;
-int                SSLConfig::configids[]                                 = {0, 0};
-int                SSLCertificateConfig::configid                         = 0;
-int                SSLTicketKeyConfig::configid                           = 0;
-int                SSLConfigParams::ssl_maxrecord                         = 0;
-int                SSLConfigParams::ssl_misc_max_iobuffer_size_index      = 8;
-bool               SSLConfigParams::ssl_allow_client_renegotiation        = false;
-bool               SSLConfigParams::ssl_ocsp_enabled                      = false;
-int                SSLConfigParams::ssl_ocsp_cache_timeout                = 3600;
-bool               SSLConfigParams::ssl_ocsp_request_mode                 = false;
-int                SSLConfigParams::ssl_ocsp_request_timeout              = 10;
-int                SSLConfigParams::ssl_ocsp_update_period                = 60;
-char              *SSLConfigParams::ssl_ocsp_user_agent                   = nullptr;
-int                SSLConfigParams::ssl_handshake_timeout_in              = 0;
-int                SSLConfigParams::origin_session_cache                  = 1;
-size_t             SSLConfigParams::origin_session_cache_size             = 10240;
-size_t             SSLConfigParams::session_cache_number_buckets          = 1024;
-bool               SSLConfigParams::session_cache_skip_on_lock_contention = false;
-size_t             SSLConfigParams::session_cache_max_bucket_size         = 100;
-init_ssl_ctx_func  SSLConfigParams::init_ssl_ctx_cb                       = nullptr;
-load_ssl_file_func SSLConfigParams::load_ssl_file_cb                      = nullptr;
-swoc::IPRangeSet  *SSLConfigParams::proxy_protocol_ip_addrs               = nullptr;
-bool               SSLConfigParams::ssl_ktls_enabled                      = false;
+int                SSLConfig::config_index                           = 0;
+int                SSLConfig::configids[]                            = {0, 0};
+int                SSLCertificateConfig::configid                    = 0;
+int                SSLTicketKeyConfig::configid                      = 0;
+int                SSLConfigParams::ssl_maxrecord                    = 0;
+int                SSLConfigParams::ssl_misc_max_iobuffer_size_index = 8;
+bool               SSLConfigParams::ssl_allow_client_renegotiation   = false;
+bool               SSLConfigParams::ssl_ocsp_enabled                 = false;
+int                SSLConfigParams::ssl_ocsp_cache_timeout           = 3600;
+bool               SSLConfigParams::ssl_ocsp_request_mode            = false;
+int                SSLConfigParams::ssl_ocsp_request_timeout         = 10;
+int                SSLConfigParams::ssl_ocsp_update_period           = 60;
+char              *SSLConfigParams::ssl_ocsp_user_agent              = nullptr;
+int                SSLConfigParams::ssl_handshake_timeout_in         = 0;
+int                SSLConfigParams::origin_session_cache             = 1;
+size_t             SSLConfigParams::origin_session_cache_size        = 10240;
+init_ssl_ctx_func  SSLConfigParams::init_ssl_ctx_cb                  = nullptr;
+load_ssl_file_func SSLConfigParams::load_ssl_file_cb                 = nullptr;
+swoc::IPRangeSet  *SSLConfigParams::proxy_protocol_ip_addrs          = nullptr;
+bool               SSLConfigParams::ssl_ktls_enabled                 = false;
 
 const uint32_t EARLY_DATA_DEFAULT_SIZE                         = 16384;
 uint32_t       SSLConfigParams::server_max_early_data          = 0;
@@ -131,14 +128,7 @@
   verifyServerProperties                               = YamlSNIConfig::Property::NONE;
   ssl_ctx_options                                      = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
   ssl_client_ctx_options                               = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-  ssl_session_cache                                    = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
-  ssl_session_cache_size                               = 1024 * 100;
-  ssl_session_cache_num_buckets = 1024; // Sessions per bucket is ceil(ssl_session_cache_size / ssl_session_cache_num_buckets)
-  ssl_session_cache_skip_on_contention = 0;
-  ssl_session_cache_timeout            = 0;
-  ssl_session_cache_auto_clear         = 1;
-  configExitOnLoadError                = 1;
-  clientCertExitOnLoadError            = 0;
+  configExitOnLoadError                                = 1;
 }
 
 void
@@ -451,23 +441,9 @@
   // SSL session cache configurations
   REC_ReadConfigInteger(ssl_origin_session_cache, "proxy.config.ssl.origin_session_cache.enabled");
   REC_ReadConfigInteger(ssl_origin_session_cache_size, "proxy.config.ssl.origin_session_cache.size");
-  REC_ReadConfigInteger(ssl_session_cache, "proxy.config.ssl.session_cache.value");
-  REC_ReadConfigInteger(ssl_session_cache_size, "proxy.config.ssl.session_cache.size");
-  REC_ReadConfigInteger(ssl_session_cache_num_buckets, "proxy.config.ssl.session_cache.num_buckets");
-  REC_ReadConfigInteger(ssl_session_cache_skip_on_contention, "proxy.config.ssl.session_cache.skip_cache_on_bucket_contention");
-  REC_ReadConfigInteger(ssl_session_cache_timeout, "proxy.config.ssl.session_cache.timeout");
-  REC_ReadConfigInteger(ssl_session_cache_auto_clear, "proxy.config.ssl.session_cache.auto_clear");
 
   SSLConfigParams::origin_session_cache      = ssl_origin_session_cache;
   SSLConfigParams::origin_session_cache_size = ssl_origin_session_cache_size;
-  SSLConfigParams::session_cache_max_bucket_size =
-    static_cast<size_t>(ceil(static_cast<double>(ssl_session_cache_size) / ssl_session_cache_num_buckets));
-  SSLConfigParams::session_cache_skip_on_lock_contention = ssl_session_cache_skip_on_contention;
-  SSLConfigParams::session_cache_number_buckets          = ssl_session_cache_num_buckets;
-
-  if (ssl_session_cache == SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL) {
-    session_cache = new SSLSessionCache();
-  }
 
   if (ssl_origin_session_cache == 1 && ssl_origin_session_cache_size > 0) {
     origin_sess_cache = new SSLOriginSessionCache();

diff --git a/src/iocore/net/SSLSessionCache.cc b/src/iocore/net/SSLSessionCache.cc
index 90eacee..73cedfc 100644
--- a/src/iocore/net/SSLSessionCache.cc
+++ b/src/iocore/net/SSLSessionCache.cc

@@ -27,293 +27,11 @@
 #include <memory>
 #include <shared_mutex>
 
-#define SSLSESSIONCACHE_STRINGIFY0(x) #x
-#define SSLSESSIONCACHE_STRINGIFY(x)  SSLSESSIONCACHE_STRINGIFY0(x)
-#define SSLSESSIONCACHE_LINENO        SSLSESSIONCACHE_STRINGIFY(__LINE__)
-
-#ifdef DEBUG
-#define PRINT_BUCKET(x) this->print(x " at " __FILE__ ":" SSLSESSIONCACHE_LINENO);
-#else
-#define PRINT_BUCKET(x)
-#endif
-
 namespace
 {
 DbgCtl dbg_ctl_ssl_origin_session_cache{"ssl.origin_session_cache"};
-DbgCtl dbg_ctl_ssl_session_cache{"ssl.session_cache"};
-DbgCtl dbg_ctl_ssl_session_cache_bucket{"ssl.session_cache.bucket"};
-DbgCtl dbg_ctl_ssl_session_cache_get{"ssl.session_cache.get"};
-DbgCtl dbg_ctl_ssl_session_cache_insert{"ssl.session_cache.insert"};
-DbgCtl dbg_ctl_ssl_session_cache_remove{"ssl.session_cache.remove"};
-
 } // end anonymous namespace
 
-/* Session Cache */
-SSLSessionCache::SSLSessionCache() : nbuckets(SSLConfigParams::session_cache_number_buckets)
-{
-  Dbg(dbg_ctl_ssl_session_cache, "Created new ssl session cache %p with %zu buckets each with size max size %zu", this, nbuckets,
-      SSLConfigParams::session_cache_max_bucket_size);
-
-  session_bucket = new SSLSessionBucket[nbuckets];
-}
-
-SSLSessionCache::~SSLSessionCache()
-{
-  delete[] session_bucket;
-}
-
-int
-SSLSessionCache::getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len) const
-{
-  uint64_t          hash          = sid.hash();
-  uint64_t          target_bucket = hash % nbuckets;
-  SSLSessionBucket *bucket        = &session_bucket[target_bucket];
-
-  return bucket->getSessionBuffer(sid, buffer, len);
-}
-
-bool
-SSLSessionCache::getSession(const SSLSessionID &sid, SSL_SESSION **sess, ssl_session_cache_exdata **data) const
-{
-  uint64_t          hash          = sid.hash();
-  uint64_t          target_bucket = hash % nbuckets;
-  SSLSessionBucket *bucket        = &session_bucket[target_bucket];
-
-  if (dbg_ctl_ssl_session_cache.on()) {
-    char buf[sid.len * 2 + 1];
-    sid.toString(buf, sizeof(buf));
-    DbgPrint(dbg_ctl_ssl_session_cache_get, "SessionCache looking in bucket %" PRId64 " (%p) for session '%s' (hash: %" PRIX64 ").",
-             target_bucket, bucket, buf, hash);
-  }
-
-  return bucket->getSession(sid, sess, data);
-}
-
-void
-SSLSessionCache::removeSession(const SSLSessionID &sid)
-{
-  uint64_t          hash          = sid.hash();
-  uint64_t          target_bucket = hash % nbuckets;
-  SSLSessionBucket *bucket        = &session_bucket[target_bucket];
-
-  if (dbg_ctl_ssl_session_cache_remove.on()) {
-    char buf[sid.len * 2 + 1];
-    sid.toString(buf, sizeof(buf));
-    DbgPrint(dbg_ctl_ssl_session_cache_remove,
-             "SessionCache using bucket %" PRId64 " (%p): Removing session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf,
-             hash);
-  }
-  Metrics::Counter::increment(ssl_rsb.session_cache_eviction);
-
-  bucket->removeSession(sid);
-}
-
-void
-SSLSessionCache::insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl)
-{
-  uint64_t          hash          = sid.hash();
-  uint64_t          target_bucket = hash % nbuckets;
-  SSLSessionBucket *bucket        = &session_bucket[target_bucket];
-
-  if (dbg_ctl_ssl_session_cache_insert.on()) {
-    char buf[sid.len * 2 + 1];
-    sid.toString(buf, sizeof(buf));
-    DbgPrint(dbg_ctl_ssl_session_cache_insert,
-             "SessionCache using bucket %" PRId64 " (%p): Inserting session '%s' (hash: %" PRIX64 ").", target_bucket, bucket, buf,
-             hash);
-  }
-
-  bucket->insertSession(sid, sess, ssl);
-}
-
-void
-SSLSessionBucket::insertSession(const SSLSessionID &id, SSL_SESSION *sess, SSL *ssl)
-{
-  std::shared_lock r_lock(mutex, std::try_to_lock);
-  if (!r_lock.owns_lock()) {
-    Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
-    if (SSLConfigParams::session_cache_skip_on_lock_contention) {
-      return;
-    }
-    r_lock.lock();
-  }
-
-  // Don't insert if it is already there
-  if (bucket_map.find(id) != bucket_map.end()) {
-    return;
-  }
-
-  r_lock.unlock();
-
-  size_t len = i2d_SSL_SESSION(sess, nullptr); // make sure we're not going to need more than SSL_MAX_SESSION_SIZE bytes
-  /* do not cache a session that's too big. */
-  if (len > static_cast<size_t>(SSL_MAX_SESSION_SIZE)) {
-    Dbg(dbg_ctl_ssl_session_cache, "Unable to save SSL session because size of %zd exceeds the max of %d", len,
-        SSL_MAX_SESSION_SIZE);
-    return;
-  }
-
-  if (dbg_ctl_ssl_session_cache.on()) {
-    char buf[id.len * 2 + 1];
-    id.toString(buf, sizeof(buf));
-    DbgPrint(dbg_ctl_ssl_session_cache, "Inserting session '%s' to bucket %p.", buf, this);
-  }
-
-  Ptr<IOBufferData> buf;
-  Ptr<IOBufferData> buf_exdata;
-  size_t            len_exdata = sizeof(ssl_session_cache_exdata);
-  buf                          = new_IOBufferData(buffer_size_to_index(len, MAX_BUFFER_SIZE_INDEX), MEMALIGNED);
-  ink_release_assert(static_cast<size_t>(buf->block_size()) >= len);
-  unsigned char *loc = reinterpret_cast<unsigned char *>(buf->data());
-  i2d_SSL_SESSION(sess, &loc);
-  buf_exdata = new_IOBufferData(buffer_size_to_index(len, MAX_BUFFER_SIZE_INDEX), MEMALIGNED);
-  ink_release_assert(static_cast<size_t>(buf_exdata->block_size()) >= len_exdata);
-  ssl_session_cache_exdata *exdata = reinterpret_cast<ssl_session_cache_exdata *>(buf_exdata->data());
-  // This could be moved to a function in charge of populating exdata
-  exdata->curve = (ssl == nullptr) ? 0 : SSLGetCurveNID(ssl);
-
-  std::unique_ptr<SSLSession> ssl_session(new SSLSession(id, buf, len, buf_exdata));
-
-  std::unique_lock w_lock(mutex, std::try_to_lock);
-  if (!w_lock.owns_lock()) {
-    Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
-    if (SSLConfigParams::session_cache_skip_on_lock_contention) {
-      return;
-    }
-    w_lock.lock();
-  }
-
-  PRINT_BUCKET("insertSession before")
-  if (bucket_map.size() >= SSLConfigParams::session_cache_max_bucket_size) {
-    Metrics::Counter::increment(ssl_rsb.session_cache_eviction);
-    removeOldestSession(w_lock);
-  }
-
-  /* do the actual insert */
-  auto node = ssl_session.release();
-  bucket_que.enqueue(node);
-  bucket_map[id] = node;
-
-  PRINT_BUCKET("insertSession after")
-}
-
-int
-SSLSessionBucket::getSessionBuffer(const SSLSessionID &id, char *buffer, int &len)
-{
-  int              true_len = 0;
-  std::shared_lock lock(mutex, std::try_to_lock);
-  if (!lock.owns_lock()) {
-    Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
-    if (SSLConfigParams::session_cache_skip_on_lock_contention) {
-      return true_len;
-    }
-    lock.lock();
-  }
-
-  auto entry = bucket_map.find(id);
-  if (buffer && entry != bucket_map.end()) {
-    true_len                 = entry->second->len_asn1_data;
-    const unsigned char *loc = reinterpret_cast<const unsigned char *>(entry->second->asn1_data->data());
-    if (true_len < len) {
-      len = true_len;
-    }
-    memcpy(buffer, loc, len);
-    return true_len;
-  }
-  return 0;
-}
-
-bool
-SSLSessionBucket::getSession(const SSLSessionID &id, SSL_SESSION **sess, ssl_session_cache_exdata **data)
-{
-  char buf[id.len * 2 + 1];
-  buf[0] = '\0'; // just to be safe.
-  if (dbg_ctl_ssl_session_cache.on()) {
-    id.toString(buf, sizeof(buf));
-  }
-
-  Dbg(dbg_ctl_ssl_session_cache, "Looking for session with id '%s' in bucket %p", buf, this);
-
-  std::shared_lock lock(mutex, std::try_to_lock);
-  if (!lock.owns_lock()) {
-    Metrics::Counter::increment(ssl_rsb.session_cache_lock_contention);
-    if (SSLConfigParams::session_cache_skip_on_lock_contention) {
-      return false;
-    }
-    lock.lock();
-  }
-
-  PRINT_BUCKET("getSession")
-
-  auto entry = bucket_map.find(id);
-  if (entry == bucket_map.end()) {
-    Dbg(dbg_ctl_ssl_session_cache, "Session with id '%s' not found in bucket %p.", buf, this);
-    return false;
-  }
-  const unsigned char *loc = reinterpret_cast<const unsigned char *>(entry->second->asn1_data->data());
-  *sess                    = d2i_SSL_SESSION(nullptr, &loc, entry->second->len_asn1_data);
-  if (data != nullptr) {
-    ssl_session_cache_exdata *exdata = reinterpret_cast<ssl_session_cache_exdata *>(entry->second->extra_data->data());
-    *data                            = exdata;
-  }
-  return true;
-}
-
-void inline SSLSessionBucket::print(const char *ref_str) const
-{
-  /* NOTE: This method assumes you're already holding the bucket lock */
-  if (!dbg_ctl_ssl_session_cache_bucket.on()) {
-    return;
-  }
-
-  fprintf(stderr, "-------------- BUCKET %p (%s) ----------------\n", this, ref_str);
-  fprintf(stderr, "Current Size: %ld, Max Size: %zd\n", bucket_map.size(), SSLConfigParams::session_cache_max_bucket_size);
-  fprintf(stderr, "Bucket: \n");
-
-  for (auto &x : bucket_map) {
-    char s_buf[2 * x.second->session_id.len + 1];
-    x.second->session_id.toString(s_buf, sizeof(s_buf));
-    fprintf(stderr, "  %s\n", s_buf);
-  }
-}
-
-void inline SSLSessionBucket::removeOldestSession(const std::unique_lock<ts::shared_mutex> &lock)
-{
-  // Caller must hold the bucket shared_mutex with unique_lock.
-  ink_assert(lock.owns_lock());
-
-  PRINT_BUCKET("removeOldestSession before")
-
-  while (bucket_que.head && bucket_que.size >= static_cast<int>(SSLConfigParams::session_cache_max_bucket_size)) {
-    auto node = bucket_que.pop();
-    bucket_map.erase(node->session_id);
-    delete node;
-  }
-
-  PRINT_BUCKET("removeOldestSession after")
-}
-
-void
-SSLSessionBucket::removeSession(const SSLSessionID &id)
-{
-  // We can't bail on contention here because this session MUST be removed.
-  std::unique_lock lock(mutex);
-
-  PRINT_BUCKET("removeSession before")
-
-  auto entry = bucket_map.find(id);
-  if (entry != bucket_map.end()) {
-    auto node = entry->second;
-    bucket_que.remove(node);
-    bucket_map.erase(entry);
-    delete node;
-  }
-
-  PRINT_BUCKET("removeSession after")
-
-  return;
-}
-
 // Custom deleter for shared origin sessions
 void
 SSLSessDeleter(SSL_SESSION *_p)
@@ -321,11 +39,6 @@
   SSL_SESSION_free(_p);
 }
 
-/* Session Bucket */
-SSLSessionBucket::SSLSessionBucket() {}
-
-SSLSessionBucket::~SSLSessionBucket() {}
-
 SSLOriginSessionCache::SSLOriginSessionCache() {}
 
 SSLOriginSessionCache::~SSLOriginSessionCache() {}

diff --git a/src/iocore/net/SSLSessionCache.h b/src/iocore/net/SSLSessionCache.h
index ee23b2a..c201785 100644
--- a/src/iocore/net/SSLSessionCache.h
+++ b/src/iocore/net/SSLSessionCache.h

@@ -39,151 +39,6 @@
   ssl_curve_id curve = 0;
 };
 
-inline void
-hash_combine(uint64_t &seed, uint64_t hash)
-{
-  // using boost's version of hash combine, substituting magic number with a 64bit version
-  // https://www.boost.org/doc/libs/1_43_0/doc/html/hash/reference.html#boost.hash_combine
-  seed ^= hash + 0x9E3779B97F4A7C15 + (seed << 6) + (seed >> 2);
-}
-
-struct SSLSessionID : public TSSslSessionID {
-  SSLSessionID(const unsigned char *s, size_t l)
-  {
-    len = l;
-    ink_release_assert(l <= sizeof(bytes));
-    memcpy(bytes, s, l);
-    hash();
-  }
-
-  SSLSessionID(const SSLSessionID &other)
-  {
-    if (other.len)
-      memcpy(bytes, other.bytes, other.len);
-
-    len = other.len;
-    hash();
-  }
-
-  bool
-  operator<(const SSLSessionID &other) const
-  {
-    if (len != other.len)
-      return len < other.len;
-
-    return (memcmp(bytes, other.bytes, len) < 0);
-  }
-
-  SSLSessionID &
-  operator=(const SSLSessionID &other)
-  {
-    if (other.len)
-      memcpy(bytes, other.bytes, other.len);
-
-    len = other.len;
-    return *this;
-  }
-
-  bool
-  operator==(const SSLSessionID &other) const
-  {
-    if (len != other.len)
-      return false;
-
-    // memcmp returns 0 on equal
-    return (memcmp(bytes, other.bytes, len) == 0);
-  }
-
-  const char *
-  toString(char *buf, size_t buflen) const
-  {
-    char *cur_pos = buf;
-    for (size_t i = 0; i < len && buflen > 0; ++i) {
-      if (buflen > 2) { // we have enough space for 3 bytes, 2 hex and 1 null terminator
-        snprintf(cur_pos, 3 /* including a null terminator */, "%02hhX", static_cast<unsigned char>(bytes[i]));
-        cur_pos += 2;
-        buflen  -= 2;
-      } else { // not enough space for any more hex bytes, just null terminate
-        *cur_pos = '\0';
-        break;
-      }
-    }
-    return buf;
-  }
-
-  uint64_t
-  hash() const
-  {
-    // because the session ids should be uniformly random, we can treat the bits as a hash value
-    // however we need to combine them if the length is longer than 64bits
-    if (len >= sizeof(uint64_t)) {
-      uint64_t seed = 0;
-      for (uint64_t i = 0; i < len; i += sizeof(uint64_t)) {
-        hash_combine(seed, static_cast<uint64_t>(bytes[i]));
-      }
-      return seed;
-    } else if (len) {
-      return static_cast<uint64_t>(bytes[0]);
-    } else {
-      return 0;
-    }
-  }
-};
-
-class SSLSession
-{
-public:
-  SSLSessionID      session_id;
-  Ptr<IOBufferData> asn1_data; /* this is the ASN1 representation of the SSL_CTX */
-  size_t            len_asn1_data;
-  Ptr<IOBufferData> extra_data;
-
-  SSLSession(const SSLSessionID &id, const Ptr<IOBufferData> &ssl_asn1_data, size_t len_asn1, Ptr<IOBufferData> &exdata)
-    : session_id(id), asn1_data(ssl_asn1_data), len_asn1_data(len_asn1), extra_data(exdata)
-  {
-  }
-
-  LINK(SSLSession, link);
-};
-
-class SSLSessionBucket
-{
-public:
-  SSLSessionBucket();
-  ~SSLSessionBucket();
-  void insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl);
-  bool getSession(const SSLSessionID &sid, SSL_SESSION **sess, ssl_session_cache_exdata **data);
-  int  getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len);
-  void removeSession(const SSLSessionID &sid);
-
-private:
-  /* these method must be used while hold the lock */
-  void print(const char *) const;
-  void removeOldestSession(const std::unique_lock<ts::shared_mutex> &lock);
-
-  mutable ts::shared_mutex             mutex;
-  CountQueue<SSLSession>               bucket_que;
-  std::map<SSLSessionID, SSLSession *> bucket_map;
-};
-
-class SSLSessionCache
-{
-public:
-  bool getSession(const SSLSessionID &sid, SSL_SESSION **sess, ssl_session_cache_exdata **data) const;
-  int  getSessionBuffer(const SSLSessionID &sid, char *buffer, int &len) const;
-  void insertSession(const SSLSessionID &sid, SSL_SESSION *sess, SSL *ssl);
-  void removeSession(const SSLSessionID &sid);
-  SSLSessionCache();
-  ~SSLSessionCache();
-
-  SSLSessionCache(const SSLSessionCache &)            = delete;
-  SSLSessionCache &operator=(const SSLSessionCache &) = delete;
-
-private:
-  SSLSessionBucket *session_bucket = nullptr;
-  size_t            nbuckets;
-};
-
 class SSLOriginSession
 {
 public:

diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
index 53dc2bb..cedc87a 100644
--- a/src/iocore/net/SSLUtils.cc
+++ b/src/iocore/net/SSLUtils.cc

@@ -102,8 +102,6 @@
 #endif
 #endif
 
-SSLSessionCache *session_cache; // declared extern in P_SSLConfig.h
-
 static int ssl_vc_index = -1;
 
 static ink_mutex *mutex_buf            = nullptr;
@@ -188,92 +186,6 @@
   return SSL_CTX_add_extra_chain_cert_bio(ctx, bio.get());
 }
 
-static SSL_SESSION *
-#if defined(LIBRESSL_VERSION_NUMBER)
-ssl_get_cached_session(SSL *ssl, unsigned char *id, int len, int *copy)
-#else
-ssl_get_cached_session(SSL *ssl, const unsigned char *id, int len, int *copy)
-#endif
-{
-  TLSSessionResumptionSupport *srs = TLSSessionResumptionSupport::getInstance(ssl);
-
-  ink_assert(srs);
-  if (srs) {
-    return srs->getSession(ssl, id, len, copy);
-  }
-
-  return nullptr;
-}
-
-static int
-ssl_new_cached_session(SSL *ssl, SSL_SESSION *sess)
-{
-#ifdef TLS1_3_VERSION
-  if (SSL_SESSION_get_protocol_version(sess) == TLS1_3_VERSION) {
-    return 0;
-  }
-#endif
-
-  unsigned int         len = 0;
-  const unsigned char *id  = SSL_SESSION_get_id(sess, &len);
-
-  SSLSessionID sid(id, len);
-
-  if (diags()->on()) {
-    static DbgCtl dbg_ctl("ssl_session_cache.insert");
-    if (dbg_ctl.tag_on()) {
-      char printable_buf[(len * 2) + 1];
-
-      sid.toString(printable_buf, sizeof(printable_buf));
-      DbgPrint(dbg_ctl, "ssl_new_cached_session session '%s' and context %p", printable_buf, SSL_get_SSL_CTX(ssl));
-    }
-  }
-
-  Metrics::Counter::increment(ssl_rsb.session_cache_new_session);
-  session_cache->insertSession(sid, sess, ssl);
-
-  // Call hook after new session is created
-  APIHook *hook = SSLAPIHooks::instance()->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
-  while (hook) {
-    hook->invoke(TS_EVENT_SSL_SESSION_NEW, &sid);
-    hook = hook->m_link.next;
-  }
-
-  return 0;
-}
-
-static void
-ssl_rm_cached_session(SSL_CTX *ctx, SSL_SESSION *sess)
-{
-#ifdef TLS1_3_VERSION
-  if (SSL_SESSION_get_protocol_version(sess) == TLS1_3_VERSION) {
-    return;
-  }
-#endif
-
-  unsigned int         len = 0;
-  const unsigned char *id  = SSL_SESSION_get_id(sess, &len);
-  SSLSessionID         sid(id, len);
-
-  // Call hook before session is removed
-  APIHook *hook = SSLAPIHooks::instance()->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
-  while (hook) {
-    hook->invoke(TS_EVENT_SSL_SESSION_REMOVE, &sid);
-    hook = hook->m_link.next;
-  }
-
-  if (diags()->on()) {
-    static DbgCtl dbg_ctl("ssl_session_cache.remove");
-    if (dbg_ctl.tag_on()) {
-      char printable_buf[(len * 2) + 1];
-      sid.toString(printable_buf, sizeof(printable_buf));
-      DbgPrint(dbg_ctl, "ssl_rm_cached_session cached session '%s'", printable_buf);
-    }
-  }
-
-  session_cache->removeSession(sid);
-}
-
 // Callback function for verifying client certificate
 static int
 ssl_verify_client_callback(int preverify_ok, X509_STORE_CTX *ctx)
@@ -438,12 +350,15 @@
     }
 
     // Reset the ticket callback if needed
-    SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
+    SSL_CTX                        *ctx                  = SSL_get_SSL_CTX(ssl);
+    shared_SSLMultiCertConfigParams sslMultiCertSettings = std::make_shared<SSLMultiCertConfigParams>();
+    if (sslMultiCertSettings->session_ticket_enabled != 0) {
 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
-    SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket);
+      SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket);
 #else
-    SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_callback_session_ticket);
+      SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_callback_session_ticket);
 #endif
+    }
   }
 #endif
 
@@ -633,9 +548,9 @@
     Metrics::Counter::increment(ssl_rsb.total_ticket_keys_renewed);
   }
 
-// Setting the callback can only fail if OpenSSL does not recognize the
-// SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB constant. we set the callback first
-// so that we don't leave a ticket_key pointer attached if it fails.
+  // Setting the callback can only fail if OpenSSL does not recognize the
+  // SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB constant. we set the callback first
+  // so that we don't leave a ticket_key pointer attached if it fails.
 #ifdef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB
   if (SSL_CTX_set_tlsext_ticket_key_evp_cb(ctx, ssl_callback_session_ticket) == 0) {
 #else
@@ -1273,9 +1188,7 @@
       SSL_CTX_set_max_proto_version(ctx, ver);
     }
 
-    if (!this->_setup_session_cache(ctx)) {
-      goto fail;
-    }
+    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF | SSL_SESS_CACHE_NO_INTERNAL);
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
     Dbg(dbg_ctl_ssl_load, "enabling SSL_MODE_RELEASE_BUFFERS");
@@ -1380,44 +1293,6 @@
 bool
 SSLMultiCertConfigLoader::_setup_session_cache(SSL_CTX *ctx)
 {
-  const SSLConfigParams *params = this->_params;
-
-  Dbg(dbg_ctl_ssl_session_cache,
-      "ssl context=%p: using session cache options, enabled=%d, size=%d, num_buckets=%d, "
-      "skip_on_contention=%d, timeout=%d, auto_clear=%d",
-      ctx, params->ssl_session_cache, params->ssl_session_cache_size, params->ssl_session_cache_num_buckets,
-      params->ssl_session_cache_skip_on_contention, params->ssl_session_cache_timeout, params->ssl_session_cache_auto_clear);
-
-  if (params->ssl_session_cache_timeout) {
-    SSL_CTX_set_timeout(ctx, params->ssl_session_cache_timeout);
-  }
-
-  int additional_cache_flags  = 0;
-  additional_cache_flags     |= (params->ssl_session_cache_auto_clear == 0) ? SSL_SESS_CACHE_NO_AUTO_CLEAR : 0;
-
-  switch (params->ssl_session_cache) {
-  case SSLConfigParams::SSL_SESSION_CACHE_MODE_OFF:
-    Dbg(dbg_ctl_ssl_session_cache, "disabling SSL session cache");
-
-    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF | SSL_SESS_CACHE_NO_INTERNAL);
-    break;
-  case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_OPENSSL_IMPL:
-    Dbg(dbg_ctl_ssl_session_cache, "enabling SSL session cache with OpenSSL implementation");
-
-    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | additional_cache_flags);
-    SSL_CTX_sess_set_cache_size(ctx, params->ssl_session_cache_size);
-    break;
-  case SSLConfigParams::SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL: {
-    Dbg(dbg_ctl_ssl_session_cache, "enabling SSL session cache with ATS implementation");
-    /* Add all the OpenSSL callbacks */
-    SSL_CTX_sess_set_new_cb(ctx, ssl_new_cached_session);
-    SSL_CTX_sess_set_remove_cb(ctx, ssl_rm_cached_session);
-    SSL_CTX_sess_set_get_cb(ctx, ssl_get_cached_session);
-
-    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL | additional_cache_flags);
-    break;
-  }
-  }
   return true;
 }
 

diff --git a/src/iocore/net/TLSSessionResumptionSupport.cc b/src/iocore/net/TLSSessionResumptionSupport.cc
index 02cf2d6..e58cc2e 100644
--- a/src/iocore/net/TLSSessionResumptionSupport.cc
+++ b/src/iocore/net/TLSSessionResumptionSupport.cc

@@ -142,54 +142,6 @@
   return this->_sslCurveNID;
 }
 
-SSL_SESSION *
-TLSSessionResumptionSupport::getSession(SSL *ssl, const unsigned char *id, int len, int *copy)
-{
-  SSLSessionID sid(id, len);
-
-  *copy = 0;
-  if (diags()->on()) {
-    static DbgCtl dbg_ctl("ssl.session_cache.get");
-    if (dbg_ctl.tag_on()) {
-      char printable_buf[(len * 2) + 1];
-      sid.toString(printable_buf, sizeof(printable_buf));
-      DbgPrint(dbg_ctl, "ssl_get_cached_session cached session '%s' context %p", printable_buf, SSL_get_SSL_CTX(ssl));
-    }
-  }
-
-  APIHook *hook = SSLAPIHooks::instance()->get(TSSslHookInternalID(TS_SSL_SESSION_HOOK));
-  while (hook) {
-    hook->invoke(TS_EVENT_SSL_SESSION_GET, &sid);
-    hook = hook->m_link.next;
-  }
-
-  SSL_SESSION              *session = nullptr;
-  ssl_session_cache_exdata *exdata  = nullptr;
-  if (session_cache->getSession(sid, &session, &exdata)) {
-    ink_assert(session);
-    ink_assert(exdata);
-
-    // Double check the timeout
-    if (is_ssl_session_timed_out(session)) {
-      Metrics::Counter::increment(ssl_rsb.session_cache_miss);
-// Due to bug in openssl, the timeout is checked, but only removed
-// from the openssl built-in hash table.  The external remove cb is not called
-#if 0 // This is currently eliminated, since it breaks things in odd ways (see TS-3710)
-      ssl_rm_cached_session(SSL_get_SSL_CTX(ssl), session);
-#endif
-      SSL_SESSION_free(session);
-      session = nullptr;
-    } else {
-      Metrics::Counter::increment(ssl_rsb.session_cache_hit);
-      this->_setSSLSessionCacheHit(true);
-      this->_setSSLCurveNID(exdata->curve);
-    }
-  } else {
-    Metrics::Counter::increment(ssl_rsb.session_cache_miss);
-  }
-  return session;
-}
-
 std::shared_ptr<SSL_SESSION>
 TLSSessionResumptionSupport::getOriginSession(SSL *ssl, const std::string &lookup_key)
 {

diff --git a/src/records/RecordsConfig.cc b/src/records/RecordsConfig.cc
index d80af3a..005451f 100644
--- a/src/records/RecordsConfig.cc
+++ b/src/records/RecordsConfig.cc

@@ -1158,20 +1158,8 @@
   ,
   {RECT_CONFIG, "proxy.config.ssl.origin_session_cache.size", RECD_INT, "10240", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.session_cache.value", RECD_INT, "2", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.session_cache.size", RECD_INT, "102400", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.session_cache.num_buckets", RECD_INT, "256", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.session_cache.skip_cache_on_bucket_contention", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
-  ,
   {RECT_CONFIG, "proxy.config.ssl.max_record_size", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, "[0-16383]", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.session_cache.timeout", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.session_cache.auto_clear", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
-  ,
   {RECT_CONFIG, "proxy.config.ssl.hsts_max_age", RECD_INT, "-1", RECU_DYNAMIC, RR_NULL, RECC_STR, "^-?[0-9]+$", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.hsts_include_subdomains", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}

diff --git a/tests/gold_tests/pluginTest/stek_share/stek_share.test.py b/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
index de320d6..8dcaf78 100644
--- a/tests/gold_tests/pluginTest/stek_share/stek_share.test.py
+++ b/tests/gold_tests/pluginTest/stek_share/stek_share.test.py

@@ -164,10 +164,6 @@
         'proxy.config.exec_thread.limit': 4,
         'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 1024,
-        'proxy.config.ssl.session_cache.timeout': 7200,
-        'proxy.config.ssl.session_cache.num_buckets': 16,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.server.cipher_suite':
             'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
@@ -184,10 +180,6 @@
         'proxy.config.exec_thread.limit': 4,
         'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 1024,
-        'proxy.config.ssl.session_cache.timeout': 7200,
-        'proxy.config.ssl.session_cache.num_buckets': 16,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.server.cipher_suite':
             'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
@@ -204,10 +196,6 @@
         'proxy.config.exec_thread.limit': 4,
         'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 1024,
-        'proxy.config.ssl.session_cache.timeout': 7200,
-        'proxy.config.ssl.session_cache.num_buckets': 16,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.server.cipher_suite':
             'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
@@ -224,10 +212,6 @@
         'proxy.config.exec_thread.limit': 4,
         'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 1024,
-        'proxy.config.ssl.session_cache.timeout': 7200,
-        'proxy.config.ssl.session_cache.num_buckets': 16,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.server.cipher_suite':
             'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
@@ -244,10 +228,6 @@
         'proxy.config.exec_thread.limit': 4,
         'proxy.config.ssl.server.cert.path': '{0}'.format(Test.RunDirectory),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(Test.RunDirectory),
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 1024,
-        'proxy.config.ssl.session_cache.timeout': 7200,
-        'proxy.config.ssl.session_cache.num_buckets': 16,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.server.cipher_suite':
             'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'

diff --git a/tests/gold_tests/tls/tls_0rtt_server.test.py b/tests/gold_tests/tls/tls_0rtt_server.test.py
index a23230f..babebe3 100644
--- a/tests/gold_tests/tls/tls_0rtt_server.test.py
+++ b/tests/gold_tests/tls/tls_0rtt_server.test.py

@@ -104,10 +104,6 @@
         'proxy.config.exec_thread.limit': 8,
         'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 512000,
-        'proxy.config.ssl.session_cache.timeout': 7200,
-        'proxy.config.ssl.session_cache.num_buckets': 32768,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.server.max_early_data': 16384,
         'proxy.config.ssl.server.allow_early_data_params': 0,
@@ -133,10 +129,6 @@
         'proxy.config.exec_thread.limit': 8,
         'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 512000,
-        'proxy.config.ssl.session_cache.timeout': 7200,
-        'proxy.config.ssl.session_cache.num_buckets': 32768,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.server.max_early_data': 0,
         'proxy.config.ssl.server.allow_early_data_params': 0,

diff --git a/tests/gold_tests/tls/tls_origin_session_reuse.test.py b/tests/gold_tests/tls/tls_origin_session_reuse.test.py
index 0732dd3..3ba1b12 100644
--- a/tests/gold_tests/tls/tls_origin_session_reuse.test.py
+++ b/tests/gold_tests/tls/tls_origin_session_reuse.test.py

@@ -64,12 +64,6 @@
         'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
         'proxy.config.exec_thread.autoconfig.scale': 1.0,
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 4096,
-        'proxy.config.ssl.session_cache.num_buckets': 256,
-        'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
-        'proxy.config.ssl.session_cache.timeout': 0,
-        'proxy.config.ssl.session_cache.auto_clear': 1,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.origin_session_cache.enabled': 1,
         'proxy.config.ssl.origin_session_cache.size': 1,
@@ -83,12 +77,6 @@
         'proxy.config.ssl.server.cert.path': '{0}'.format(ts2.Variables.SSLDir),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(ts2.Variables.SSLDir),
         'proxy.config.exec_thread.autoconfig.scale': 1.0,
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 4096,
-        'proxy.config.ssl.session_cache.num_buckets': 256,
-        'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
-        'proxy.config.ssl.session_cache.timeout': 0,
-        'proxy.config.ssl.session_cache.auto_clear': 1,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.origin_session_cache.enabled': 1,
         'proxy.config.ssl.origin_session_cache.size': 1,
@@ -100,12 +88,6 @@
         'proxy.config.ssl.server.cert.path': '{0}'.format(ts3.Variables.SSLDir),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(ts3.Variables.SSLDir),
         'proxy.config.exec_thread.autoconfig.scale': 1.0,
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 4096,
-        'proxy.config.ssl.session_cache.num_buckets': 256,
-        'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
-        'proxy.config.ssl.session_cache.timeout': 0,
-        'proxy.config.ssl.session_cache.auto_clear': 1,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.origin_session_cache.enabled': 1,
         'proxy.config.ssl.origin_session_cache.size': 1,
@@ -119,12 +101,6 @@
         'proxy.config.ssl.server.cert.path': '{0}'.format(ts4.Variables.SSLDir),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(ts4.Variables.SSLDir),
         'proxy.config.exec_thread.autoconfig.scale': 1.0,
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 4096,
-        'proxy.config.ssl.session_cache.num_buckets': 256,
-        'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
-        'proxy.config.ssl.session_cache.timeout': 0,
-        'proxy.config.ssl.session_cache.auto_clear': 1,
         'proxy.config.ssl.server.session_ticket.enable': 1,
         'proxy.config.ssl.origin_session_cache.enabled': 0,
         'proxy.config.ssl.origin_session_cache.size': 1,

diff --git a/tests/gold_tests/tls/tls_session_reuse.test.py b/tests/gold_tests/tls/tls_session_reuse.test.py
index ff0c25e..6647b16 100644
--- a/tests/gold_tests/tls/tls_session_reuse.test.py
+++ b/tests/gold_tests/tls/tls_session_reuse.test.py

@@ -26,7 +26,6 @@
 # Define default ATS
 ts1 = Test.MakeATSProcess("ts1", enable_tls=True)
 ts2 = Test.MakeATSProcess("ts2", enable_tls=True)
-ts3 = Test.MakeATSProcess("ts3", enable_tls=True)
 server = Test.MakeOriginServer("server")
 
 # Add info the origin server responses
@@ -39,124 +38,111 @@
 ts1.addSSLfile("ssl/server.key")
 ts2.addSSLfile("ssl/server.pem")
 ts2.addSSLfile("ssl/server.key")
-ts3.addSSLfile("ssl/server.pem")
-ts3.addSSLfile("ssl/server.key")
 
 ts1.Disk.remap_config.AddLine('map / http://127.0.0.1:{0}'.format(server.Variables.Port))
 ts2.Disk.remap_config.AddLine('map / http://127.0.0.1:{0}'.format(server.Variables.Port))
-ts3.Disk.remap_config.AddLine('map / http://127.0.0.1:{0}'.format(server.Variables.Port))
 
 ts1.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key')
 ts2.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key')
-ts3.Disk.ssl_multicert_config.AddLine('dest_ip=* ssl_cert_name=server.pem ssl_key_name=server.key')
 
 ts1.Disk.records_config.update(
     {
+        'proxy.config.diags.debug.enabled': 1,
+        'proxy.config.diags.debug.tags': 'ssl',
         'proxy.config.ssl.server.cert.path': '{0}'.format(ts1.Variables.SSLDir),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(ts1.Variables.SSLDir),
         'proxy.config.ssl.server.cipher_suite':
             'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
         'proxy.config.exec_thread.autoconfig.scale': 1.0,
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 4096,
-        'proxy.config.ssl.session_cache.num_buckets': 256,
-        'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
-        'proxy.config.ssl.session_cache.timeout': 0,
-        'proxy.config.ssl.session_cache.auto_clear': 1,
-        'proxy.config.ssl.server.session_ticket.enable': 0,
+        'proxy.config.ssl.server.session_ticket.enable': 1,
+        'proxy.config.ssl.server.session_ticket.number': 2,
     })
 ts2.Disk.records_config.update(
     {
+        'proxy.config.diags.debug.enabled': 1,
+        'proxy.config.diags.debug.tags': 'ssl',
         'proxy.config.ssl.server.cert.path': '{0}'.format(ts2.Variables.SSLDir),
         'proxy.config.ssl.server.private_key.path': '{0}'.format(ts2.Variables.SSLDir),
         'proxy.config.ssl.server.cipher_suite':
             'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
         'proxy.config.exec_thread.autoconfig.scale': 1.0,
-        'proxy.config.ssl.session_cache.value': 2,
-        'proxy.config.ssl.session_cache.size': 4096,
-        'proxy.config.ssl.session_cache.num_buckets': 256,
-        'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
-        'proxy.config.ssl.session_cache.timeout': 0,
-        'proxy.config.ssl.session_cache.auto_clear': 1,
-        'proxy.config.ssl.server.session_ticket.enable': 1,
-    })
-ts3.Disk.records_config.update(
-    {
-        'proxy.config.ssl.server.cert.path': '{0}'.format(ts3.Variables.SSLDir),
-        'proxy.config.ssl.server.private_key.path': '{0}'.format(ts3.Variables.SSLDir),
-        'proxy.config.ssl.server.cipher_suite':
-            'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
-        'proxy.config.exec_thread.autoconfig.scale': 1.0,
-        'proxy.config.ssl.session_cache.value': 0,
-        'proxy.config.ssl.session_cache.size': 4096,
-        'proxy.config.ssl.session_cache.num_buckets': 256,
-        'proxy.config.ssl.session_cache.skip_cache_on_bucket_contention': 0,
-        'proxy.config.ssl.session_cache.timeout': 0,
-        'proxy.config.ssl.session_cache.auto_clear': 1,
-        'proxy.config.ssl.server.session_ticket.enable': 1,
+        'proxy.config.ssl.server.session_ticket.enable': 0,
+        'proxy.config.ssl.server.session_ticket.number': 0,
     })
 
 
-def check_session(ev, test):
+def check_session(output_path, tls_ver, reuse_count):
     retval = False
-    f = open(test.GetContent(ev), 'r')
-    err = "Session ids match"
+    f = open(output_path, 'r')
     if not f:
-        err = "Failed to open {0}".format(openssl_output)
-        return (retval, "Check that session ids match", err)
+        err = "Failed to open {0}".format(output_path)
+        return (retval, "Check session is reused", err)
 
     content = f.read()
-    match = re.findall('Session-ID: ([0-9A-F]+)', content)
-
-    if match:
-        if all(i == j for i, j in zip(match, match[1:])):
-            err = "{0} reused successfully {1} times".format(match[0], len(match) - 1)
-            retval = True
-        else:
-            err = "Session is not being reused as expected"
+    match = re.findall(f'Reused, {tls_ver}', content)
+    if len(match) == reuse_count:
+        retval = True
+        err = "Reused successfully {0} times".format(len(match))
     else:
-        err = "Didn't find session id"
-    return (retval, "Check that session ids match", err)
+        err = "Session is not being reused as expected"
+    f.close()
+    return (retval, "Check session is reused", err)
 
 
-tr = Test.AddTestRun("TLSv1.2 Session ID")
-tr.Command = \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_out {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1}' \
-    .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess.dat'))
-tr.ReturnCode = 0
-tr.Processes.Default.StartBefore(server)
-tr.Processes.Default.StartBefore(ts1)
-tr.Processes.Default.Streams.All.Content = Testers.Lambda(check_session)
-tr.StillRunningAfter = server
-
-tr1 = Test.AddTestRun("TLSv1.2 Session Ticket")
+tr1 = Test.AddTestRun("TLSv1.2 Session Resumption Enabled")
 tr1.Command = \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_out {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -sess_in {1}' \
-    .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess.dat'))
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_out {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2' \
+    .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess1.dat'))
 tr1.ReturnCode = 0
-tr1.Processes.Default.StartBefore(ts2)
-tr1.Processes.Default.Streams.All.Content = Testers.Lambda(check_session)
-tr1.StillRunningAfter = server
+tr1.Processes.Default.StartBefore(server)
+tr1.Processes.Default.StartBefore(ts1)
+tr1.Processes.Default.Streams.All.Content = Testers.Lambda(
+    lambda info, tester: check_session(tr1.Processes.Default.Streams.All.AbsPath, 'TLSv1.2', 5))
+tr1.StillRunningAfter += server
+tr1.StillRunningAfter += ts1
 
-tr2 = Test.AddTestRun("Disabled Session Cache")
+tr2 = Test.AddTestRun("TLSv1.3 Session Resumption Enabled")
 tr2.Command = \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_out {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1} && ' \
-    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -tls1_2 -connect 127.0.0.1:{0} -no_ticket -sess_in {1}' \
-    .format(ts3.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess.dat'))
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_out {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2' \
+    .format(ts1.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess2.dat'))
 tr2.ReturnCode = 0
-tr2.Processes.Default.StartBefore(ts3)
-tr2.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr2.Processes.Default.Streams.All.Content = Testers.Lambda(
+    lambda info, tester: check_session(tr2.Processes.Default.Streams.All.AbsPath, 'TLSv1.2', 5))
+tr2.StillRunningAfter += server
+
+tr3 = Test.AddTestRun("TLSv1.2 Session Resumption Disabled")
+tr3.Command = \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_out {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_2' \
+    .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess3.dat'))
+tr3.Processes.Default.StartBefore(ts2)
+tr3.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr3.Processes.Default.Streams.All += Testers.ContainsExpression('TLSv1.2', '')
+tr3.StillRunningAfter += server
+tr3.StillRunningAfter += ts2
+
+tr4 = Test.AddTestRun("TLSv1.3 Session Resumption Disabled")
+tr4.Command = \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_out {1} -tls1_3 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_3 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_3 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_3 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_3 && ' \
+    'echo -e "GET / HTTP/1.1\r\n" | openssl s_client -connect 127.0.0.1:{0} -sess_in  {1} -tls1_3' \
+    .format(ts2.Variables.ssl_port, os.path.join(Test.RunDirectory, 'sess4.dat'))
+tr4.Processes.Default.Streams.All = Testers.ExcludesExpression('Reused', '')
+tr4.Processes.Default.Streams.All += Testers.ContainsExpression('TLSv1.3', '')
commit	99499a05d6e2a55b3e6a072b2593c49cf0331130	[log] [tgz]
author	bneradt <bneradt@yahooinc.com>	Tue May 07 10:19:54 2024 -0600
committer	bneradt <bneradt@yahooinc.com>	Tue May 07 10:42:39 2024 -0600
tree	a43aa9a0aff91850696cc5faaf07354dde12c86e
parent	6e5d6f2a47da1bac702f8fd749dec62b13adcfc0 [diff]
parent	607783448efa9c096025504c68d2e4b535c5d4cd [diff]