If so, is it enabled by default? How can I enable it?
On Fri, May 29, 2009 at 04:09:23PM -0700, Michael S. wrote:
If so, is it enabled by default? How can I enable it?
If you mean SSL session reusing, then
ssl_session_cache shared:SSL:10m;
Default is “ssl_session_cache none”.
Is there any reason for not enabling this? some sort of possible
security risk?
Seems like it saves a lot of negotiation overhead on each request
This is what I mean by “SSL resumption” I think it’s what you’re
talking about too.
2009/5/29 Igor S. [email protected]:
2009/5/30 Igor S. [email protected]:
Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
see 'SSL Memory Usage and Fragmentation' thread - MARC
Is this an OpenSSL bug? I think there’s an OpenSSL bug I am hitting as
well with Firefox 3.x (even using the ssl_protocols workaround) - if
this is a bug in OpenSSL I’d like to go yell at them for both… 
Also I do think that shared SSL session cache should be enabled by default.
I agree.
BTW, Module ngx_http_ssl_module is outdated:
ssl_session_cache has yet two paramters “off” and “none” (default one):“off” is hard off: nginx says explicitly to a client that sessions can not
reused.“none” is soft off: nginx says to a client that session can be resued, but
nginx actually never reuses them. This is workaround for some mail clients
as ssl_session_cache may be used in mail proxy as well as in HTTP server.
I’ve updated the wiki with this information.
http://wiki.nginx.org/NginxHttpSslModule#ssl_session_cache
Does it still accept two parameters as shown int he example on the
wiki? I want to make sure that is still legitimate. I assume that
means it will use the first cache and fall back to the second if it is
full or something?
Please verify my changes are correct. I don’t want to be putting up
incorrect information
On Sat, May 30, 2009 at 12:04:27AM -0700, Michael S. wrote:
Is there any reason for not enabling this? some sort of possible security risk?
Seems like it saves a lot of negotiation overhead on each request
Yes. However, built-in OpenSSL session cache leads to memory
fragmentation,
see 'SSL Memory Usage and Fragmentation' thread - MARC
Also I do think that shared SSL session cache should be enabled by
default.
BTW, Module ngx_http_ssl_module is outdated:
ssl_session_cache has yet two paramters “off” and “none” (default one):
“off” is hard off: nginx says explicitly to a client that sessions can
not
reused.
“none” is soft off: nginx says to a client that session can be resued,
but
nginx actually never reuses them. This is workaround for some mail
clients
as ssl_session_cache may be used in mail proxy as well as in HTTP
server.
On Sat, May 30, 2009 at 10:27:06AM -0700, Michael S. wrote:
2009/5/30 Igor S. [email protected]:
Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
see 'SSL Memory Usage and Fragmentation' thread - MARCIs this an OpenSSL bug? I think there’s an OpenSSL bug I am hitting as
well with Firefox 3.x (even using the ssl_protocols workaround) - if
this is a bug in OpenSSL I’d like to go yell at them for both…
I believe this is joint effect of some libc malloc() and OpenSSL.
“none” is soft off: nginx says to a client that session can be resued, but
nginx actually never reuses them. This is workaround for some mail clients
as ssl_session_cache may be used in mail proxy as well as in HTTP server.I’ve updated the wiki with this information.
Module ngx_http_ssl_moduleDoes it still accept two parameters as shown int he example on the
wiki? I want to make sure that is still legitimate. I assume that
means it will use the first cache and fall back to the second if it is
full or something?
Yes, you still may set both builtin and shared cache simultaneously,
but shared one only is preferable.
Please verify my changes are correct. I don’t want to be putting up
incorrect information
Thank you, this is correct.
2009/5/30 Igor S. [email protected]:
I believe this is joint effect of some libc malloc() and OpenSSL.
You wouldn’t happen to have any kind of debug info or a short C
program to emulate this behavior so I can submit it to the OpenSSL
team, do you?
Since I want to get on their case about something else, I might as
well kill two birds with one stone.
On Sat, May 30, 2009 at 01:16:43PM -0700, Michael S. wrote:
2009/5/30 Igor S. [email protected]:
I believe this is joint effect of some libc malloc() and OpenSSL.
You wouldn’t happen to have any kind of debug info or a short C
program to emulate this behavior so I can submit it to the OpenSSL
team, do you?Since I want to get on their case about something else, I might as
well kill two birds with one stone.
No, I have no additional information.