Does nginx support SSL resumption?


#1

If so, is it enabled by default? How can I enable it?


#2

On Fri, May 29, 2009 at 04:09:23PM -0700, Michael S. wrote:

If so, is it enabled by default? How can I enable it?

If you mean SSL session reusing, then

ssl_session_cache shared:SSL:10m;

Default is “ssl_session_cache none”.


#3

Is there any reason for not enabling this? some sort of possible
security risk?

Seems like it saves a lot of negotiation overhead on each request

This is what I mean by “SSL resumption” I think it’s what you’re
talking about too.
http://rdist.root.org/2009/03/10/note-to-wordpress-on-ssl/

2009/5/29 Igor S. removed_email_address@domain.invalid:


#4

2009/5/30 Igor S. removed_email_address@domain.invalid:

Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
see http://marc.info/?t=120127289900027

Is this an OpenSSL bug? I think there’s an OpenSSL bug I am hitting as
well with Firefox 3.x (even using the ssl_protocols workaround) - if
this is a bug in OpenSSL I’d like to go yell at them for both… :slight_smile:

Also I do think that shared SSL session cache should be enabled by default.

I agree.

BTW, http://wiki.nginx.org/NginxHttpSslModule is outdated:
ssl_session_cache has yet two paramters “off” and “none” (default one):

“off” is hard off: nginx says explicitly to a client that sessions can not
reused.

“none” is soft off: nginx says to a client that session can be resued, but
nginx actually never reuses them. This is workaround for some mail clients
as ssl_session_cache may be used in mail proxy as well as in HTTP server.

I’ve updated the wiki with this information.
http://wiki.nginx.org/NginxHttpSslModule#ssl_session_cache

Does it still accept two parameters as shown int he example on the
wiki? I want to make sure that is still legitimate. I assume that
means it will use the first cache and fall back to the second if it is
full or something?

Please verify my changes are correct. I don’t want to be putting up
incorrect information :slight_smile:


#5

On Sat, May 30, 2009 at 12:04:27AM -0700, Michael S. wrote:

Is there any reason for not enabling this? some sort of possible security risk?

Seems like it saves a lot of negotiation overhead on each request

Yes. However, built-in OpenSSL session cache leads to memory
fragmentation,
see http://marc.info/?t=120127289900027

Also I do think that shared SSL session cache should be enabled by
default.

BTW, http://wiki.nginx.org/NginxHttpSslModule is outdated:
ssl_session_cache has yet two paramters “off” and “none” (default one):

“off” is hard off: nginx says explicitly to a client that sessions can
not
reused.

“none” is soft off: nginx says to a client that session can be resued,
but
nginx actually never reuses them. This is workaround for some mail
clients
as ssl_session_cache may be used in mail proxy as well as in HTTP
server.


#6

On Sat, May 30, 2009 at 10:27:06AM -0700, Michael S. wrote:

2009/5/30 Igor S. removed_email_address@domain.invalid:

Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
see http://marc.info/?t=120127289900027

Is this an OpenSSL bug? I think there’s an OpenSSL bug I am hitting as
well with Firefox 3.x (even using the ssl_protocols workaround) - if
this is a bug in OpenSSL I’d like to go yell at them for both… :slight_smile:

I believe this is joint effect of some libc malloc() and OpenSSL.

“none” is soft off: nginx says to a client that session can be resued, but
nginx actually never reuses them. This is workaround for some mail clients
as ssl_session_cache may be used in mail proxy as well as in HTTP server.

I’ve updated the wiki with this information.
http://wiki.nginx.org/NginxHttpSslModule#ssl_session_cache

Does it still accept two parameters as shown int he example on the
wiki? I want to make sure that is still legitimate. I assume that
means it will use the first cache and fall back to the second if it is
full or something?

Yes, you still may set both builtin and shared cache simultaneously,
but shared one only is preferable.

Please verify my changes are correct. I don’t want to be putting up
incorrect information :slight_smile:

Thank you, this is correct.


#7

2009/5/30 Igor S. removed_email_address@domain.invalid:

I believe this is joint effect of some libc malloc() and OpenSSL.

You wouldn’t happen to have any kind of debug info or a short C
program to emulate this behavior so I can submit it to the OpenSSL
team, do you?

Since I want to get on their case about something else, I might as
well kill two birds with one stone.


#8

On Sat, May 30, 2009 at 01:16:43PM -0700, Michael S. wrote:

2009/5/30 Igor S. removed_email_address@domain.invalid:

I believe this is joint effect of some libc malloc() and OpenSSL.

You wouldn’t happen to have any kind of debug info or a short C
program to emulate this behavior so I can submit it to the OpenSSL
team, do you?

Since I want to get on their case about something else, I might as
well kill two birds with one stone.

No, I have no additional information.