Forum: NGINX Does nginx support SSL resumption?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-05-30 01:21
(Received via mailing list)
If so, is it enabled by default? How can I enable it?
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-05-30 09:08
(Received via mailing list)
On Fri, May 29, 2009 at 04:09:23PM -0700, Michael Shadle wrote:

> If so, is it enabled by default? How can I enable it?

If you mean SSL session reusing, then

ssl_session_cache  shared:SSL:10m;

Default is "ssl_session_cache none".
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-05-30 09:12
(Received via mailing list)
Is there any reason for not enabling this? some sort of possible
security risk?

Seems like it saves a lot of negotiation overhead on each request

This is what I mean by "SSL resumption" I think it's what you're
talking about too.
http://rdist.root.org/2009/03/10/note-to-wordpress-on-ssl/



2009/5/29 Igor Sysoev <is@rambler-co.ru>:
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-05-30 09:49
(Received via mailing list)
On Sat, May 30, 2009 at 12:04:27AM -0700, Michael Shadle wrote:

> Is there any reason for not enabling this? some sort of possible security risk?

> Seems like it saves a lot of negotiation overhead on each request

Yes. However, built-in OpenSSL session cache leads to memory
fragmentation,
see http://marc.info/?t=120127289900027

Also I do think that shared SSL session cache should be enabled by
default.

BTW, http://wiki.nginx.org/NginxHttpSslModule is outdated:
ssl_session_cache has yet two paramters "off" and "none" (default one):

"off" is hard off: nginx says explicitly to a client that sessions can
not
reused.

"none" is soft off: nginx says to a client that session can be resued,
but
nginx actually never reuses them. This is workaround for some mail
clients
as ssl_session_cache may be used in mail proxy as well as in HTTP
server.
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-05-30 19:43
(Received via mailing list)
2009/5/30 Igor Sysoev <is@rambler-co.ru>:

> Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
> see http://marc.info/?t=120127289900027

Is this an OpenSSL bug? I think there's an OpenSSL bug I am hitting as
well with Firefox 3.x (even using the ssl_protocols workaround) - if
this is a bug in OpenSSL I'd like to go yell at them for both... :)

> Also I do think that shared SSL session cache should be enabled by default.

I agree.

> BTW, http://wiki.nginx.org/NginxHttpSslModule is outdated:
> ssl_session_cache has yet two paramters "off" and "none" (default one):
>
> "off" is hard off: nginx says explicitly to a client that sessions can not
> reused.
>
> "none" is soft off: nginx says to a client that session can be resued, but
> nginx actually never reuses them. This is workaround for some mail clients
> as ssl_session_cache may be used in mail proxy as well as in HTTP server.

I've updated the wiki with this information.
http://wiki.nginx.org/NginxHttpSslModule#ssl_session_cache

Does it still accept two parameters as shown int he example on the
wiki? I want to make sure that is still legitimate. I assume that
means it will use the first cache and fall back to the second if it is
full or something?

Please verify my changes are correct. I don't want to be putting up
incorrect information :)
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-05-30 20:50
(Received via mailing list)
On Sat, May 30, 2009 at 10:27:06AM -0700, Michael Shadle wrote:

> 2009/5/30 Igor Sysoev <is@rambler-co.ru>:
>
> > Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
> > see http://marc.info/?t=120127289900027
>
> Is this an OpenSSL bug? I think there's an OpenSSL bug I am hitting as
> well with Firefox 3.x (even using the ssl_protocols workaround) - if
> this is a bug in OpenSSL I'd like to go yell at them for both... :)

I believe this is joint effect of some libc malloc() and OpenSSL.

> > "none" is soft off: nginx says to a client that session can be resued, but
> > nginx actually never reuses them. This is workaround for some mail clients
> > as ssl_session_cache may be used in mail proxy as well as in HTTP server.
>
> I've updated the wiki with this information.
> http://wiki.nginx.org/NginxHttpSslModule#ssl_session_cache
>
> Does it still accept two parameters as shown int he example on the
> wiki? I want to make sure that is still legitimate. I assume that
> means it will use the first cache and fall back to the second if it is
> full or something?

Yes, you still may set both builtin and shared cache simultaneously,
but shared one only is preferable.

> Please verify my changes are correct. I don't want to be putting up
> incorrect information :)

Thank you, this is correct.
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-05-30 22:31
(Received via mailing list)
2009/5/30 Igor Sysoev <is@rambler-co.ru>:

> I believe this is joint effect of some libc malloc() and OpenSSL.

You wouldn't happen to have any kind of debug info or a short C
program to emulate this behavior so I can submit it to the OpenSSL
team, do you?

Since I want to get on their case about something else, I might as
well kill two birds with one stone.
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-06-03 10:40
(Received via mailing list)
On Sat, May 30, 2009 at 01:16:43PM -0700, Michael Shadle wrote:

> 2009/5/30 Igor Sysoev <is@rambler-co.ru>:
>
> > I believe this is joint effect of some libc malloc() and OpenSSL.
>
> You wouldn't happen to have any kind of debug info or a short C
> program to emulate this behavior so I can submit it to the OpenSSL
> team, do you?
>
> Since I want to get on their case about something else, I might as
> well kill two birds with one stone.

No, I have no additional information.
This topic is locked and can not be replied to.