SSL performance optimization with cache

Hello,

I am optimizing our install of nginx for SSL performance, since our SaaS
app
is served exclusively over https. I have the following SSL performance
directives:

ssl_session_cache shared:SSL_CACHE:4m;
ssl_session_timeout 5m;

My question is, what is the downfall, if any, of setting the timeout to
like
720m which is 12 hours. Seems like caching longer would be better. Or,
is
there a security risk of caching for such a long time?

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,233990,233990#msg-233990

Browsing my nginx error log noticed the following logged A LOT:

2012/12/13 21:37:18 [crit] 7968#0: ngx_slab_alloc() failed: no memory in
SSL
session shared cache “SSL_CACHE”

If the cache fills, does it flush older entries for new entries?
Basically,
how does the SSL cache work exactly?

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,233990,233999#msg-233999

Hello!

On Fri, Dec 14, 2012 at 01:45:34AM -0500, justin wrote:

Browsing my nginx error log noticed the following logged A LOT:

2012/12/13 21:37:18 [crit] 7968#0: ngx_slab_alloc() failed: no memory in SSL
session shared cache “SSL_CACHE”

If the cache fills, does it flush older entries for new entries? Basically,
how does the SSL cache work exactly?

If there is no memory available in a shared cache, oldest
non-expired session will be dropped. In most cases this will be
enough to create new session, but I wouldn’t rely on this as this
is more an emergency mechanism than a normal behaviour.


Maxim D.
http://nginx.com/support.html

Hello!

On Thu, Dec 13, 2012 at 09:45:19PM -0500, justin wrote:

720m which is 12 hours. Seems like caching longer would be better. Or, is
there a security risk of caching for such a long time?

You may consider RFC5246, which suggests an upper limit of 24h:

http://tools.ietf.org/html/rfc5246#appendix-F.1.4


Maxim D.
http://nginx.com/support.html

Maxim,

Thanks for the reply, so if the oldest cache entries are automatically
purged why am I seeing:

ngx_slab_alloc() failed: no memory in SSL session shared cache

“SSL_CACHE”

Logged thousands upon thousands of times in my error log? Was this
because
even though at that time my expiration was 5m, the cache was full, and
it
couldn’t purge any cache entries because none were expired?

If this is the case, I recommend changing the message from critical
error to
a notice. Basically, just means that SSL connections could not use
cache,
they were not failing, just slower. Probably shouldn’t be a critical
error
right?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,233990,234060#msg-234060