Hello,
I am optimizing our install of nginx for SSL performance, since our SaaS
app
is served exclusively over https. I have the following SSL performance
directives:
ssl_session_cache shared:SSL_CACHE:4m;
ssl_session_timeout 5m;
My question is, what is the downfall, if any, of setting the timeout to
like
720m which is 12 hours. Seems like caching longer would be better. Or,
is
there a security risk of caching for such a long time?
Thanks.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,233990,233990#msg-233990
on 2012-12-14 03:45
on 2012-12-14 07:45
Browsing my nginx error log noticed the following logged A LOT: 2012/12/13 21:37:18 [crit] 7968#0: ngx_slab_alloc() failed: no memory in SSL session shared cache "SSL_CACHE" If the cache fills, does it flush older entries for new entries? Basically, how does the SSL cache work exactly? Thanks. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,233990,233999#msg-233999
on 2012-12-14 11:56
Hello! On Fri, Dec 14, 2012 at 01:45:34AM -0500, justin wrote: > Browsing my nginx error log noticed the following logged A LOT: > > 2012/12/13 21:37:18 [crit] 7968#0: ngx_slab_alloc() failed: no memory in SSL > session shared cache "SSL_CACHE" > > If the cache fills, does it flush older entries for new entries? Basically, > how does the SSL cache work exactly? If there is no memory available in a shared cache, oldest non-expired session will be dropped. In most cases this will be enough to create new session, but I wouldn't rely on this as this is more an emergency mechanism than a normal behaviour. -- Maxim Dounin http://nginx.com/support.html
on 2012-12-14 12:00
Hello! On Thu, Dec 13, 2012 at 09:45:19PM -0500, justin wrote: > 720m which is 12 hours. Seems like caching longer would be better. Or, is > there a security risk of caching for such a long time? You may consider RFC5246, which suggests an upper limit of 24h: http://tools.ietf.org/html/rfc5246#appendix-F.1.4 -- Maxim Dounin http://nginx.com/support.html
on 2012-12-14 23:52
Maxim,
Thanks for the reply, so if the oldest cache entries are automatically
purged why am I seeing:
ngx_slab_alloc() failed: no memory in SSL session shared cache
"SSL_CACHE"
Logged thousands upon thousands of times in my error log? Was this
because
even though at that time my expiration was 5m, the cache was full, and
it
couldn't purge any cache entries because none were expired?
If this is the case, I recommend changing the message from critical
error to
a notice. Basically, just means that SSL connections could not use
cache,
they were not failing, just slower. Probably shouldn't be a critical
error
right?
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,233990,234060#msg-234060
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.