From b7692ab04df57d88ade567c4d5bb4cd16513b27e Mon Sep 17 00:00:00 2001
From: Carter Kozak <ckozak@ckozak.net>
Date: Mon, 30 Nov 2020 10:09:29 -0500
Subject: [PATCH] Reduce the client TLS session cache size (#1067)

Reduce the client TLS session cache size
---
 changelog/@unreleased/pr-1067.v2.yml                  |  5 +++++
 .../dialogue/clients/AugmentClientConfig.java         | 11 +++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 changelog/@unreleased/pr-1067.v2.yml

diff --git a/changelog/@unreleased/pr-1067.v2.yml b/changelog/@unreleased/pr-1067.v2.yml
new file mode 100644
index 000000000..7c0b4f66f
--- /dev/null
+++ b/changelog/@unreleased/pr-1067.v2.yml
@@ -0,0 +1,5 @@
+type: improvement
+improvement:
+  description: Reduce the client TLS session cache size
+  links:
+  - https://github.com/palantir/dialogue/pull/1067
diff --git a/dialogue-clients/src/main/java/com/palantir/dialogue/clients/AugmentClientConfig.java b/dialogue-clients/src/main/java/com/palantir/dialogue/clients/AugmentClientConfig.java
index de1a54418..9ef88309a 100644
--- a/dialogue-clients/src/main/java/com/palantir/dialogue/clients/AugmentClientConfig.java
+++ b/dialogue-clients/src/main/java/com/palantir/dialogue/clients/AugmentClientConfig.java
@@ -27,6 +27,7 @@
 import com.palantir.tritium.metrics.registry.TaggedMetricRegistry;
 import java.security.Provider;
 import java.util.Optional;
+import javax.net.ssl.SSLContext;
 import org.immutables.value.Value;
 
 /**
@@ -64,13 +65,19 @@ static ClientConfiguration getClientConf(ServiceConfiguration serviceConfig, Aug
         ClientConfiguration.Builder builder =
                 ClientConfiguration.builder().from(ClientConfigurations.of(serviceConfig));
 
+        SSLContext context = augment.securityProvider()
+                .map(provider -> SslSocketFactories.createSslContext(serviceConfig.security(), provider))
+                .orElseGet(() -> SslSocketFactories.createSslContext(serviceConfig.security()));
+        // Reduce the session cache size for clients. We expect TLS connections to be reused, thus the cache isn't
+        // terribly important.
+        context.getClientSessionContext().setSessionCacheSize(100);
+        builder.sslSocketFactory(context.getSocketFactory());
+
         if (!serviceConfig.maxNumRetries().isPresent()) {
             augment.maxNumRetries().ifPresent(builder::maxNumRetries);
         }
 
         if (augment.securityProvider().isPresent()) {
-            builder.sslSocketFactory(SslSocketFactories.createSslSocketFactory(
-                    serviceConfig.security(), augment.securityProvider().get()));
             // Opt into GCM when custom providers (Conscrypt) is used.
             builder.enableGcmCipherSuites(true);
         }