Don't maintain a second level of timeouts.
This second level of timeouts is not maintained correctly in the case of
TLS 1.2 ticket renewals. BoringSSL does not extend ticket lifetimes on
ticket renewals because the master secret is unchanged, but BoringSSL's
default is two hours, while SSLClientSessionCache uses one hour. This
meant that TLS 1.2 ticket renewals currently extend the one hour
lifetime up to a two hour non-renewable lifetime.
This makes no sense. Instead, have SSLClientSessionCache query
SSL_SESSION timeout fields. Then configure the SSL_CTX to match the old
timeout to preserve the existing behavior. (Though I suspect one vs two
hours isn't a big difference and we could just leave it at BoringSSL
defaults.)
Do this both to fix our TLS 1.2 ticket renewal policy and prepare for
TLS 1.3 which will involve a more complex timeout policy. (Resumptions
do an ECDH and renewals incorporate that key material, so longer and
renewable lifetimes makes sense, but we will still need a non-renewable
timeout for when we require a fresh signature.)
BUG=630147
Review-Url: https://codereview.chromium.org/2480813002
Cr-Commit-Position: refs/heads/master@{#430961}
4 files changed
