[PATCH] rfc5077 session tickets

Daniel Black daniel.black at openquery.com
Tue Oct 2 02:09:48 UTC 2012

For a quick summary of session tickets look at http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html and for a longer version read the rfc.

Session tickets are supported in chrome and firefox browsers.

Both session tickets and session id (the current session implementation) allow the server to resume SSL/TLS session with a quicker round trip and less cryptographic material generation.

The advantage of session tickets over session ids is that the server can now handle an unlimited number of session resumption clients using a fixed amount of shared memory (52 bytes).

It also handles resumption for client side certificates.

Because there's no memory cost for these they have a larger timeout value allowing those clients to have a quicker resumption (one round trip quicker) when they connect within the ssl_ticket_timeout.

This also disables session tickets when a shared memory isn't setup. This is a current problem when there is more than one worker. By default openssl handles session tickets using an internal buffer that isn't shared between processes. As such clients are likely to go through a renegotiation.

This requires previous sent patches:
[PATCH] allow printing of string buffers in hex format
[PATCH] cast results of ngx_ssl_get_connection to right type

Originally submitted as part of http://trac.nginx.org/nginx/ticket/120

The test plan nginx-rfc5077-testplan.txt​ attached to trac ticket enables verification of the functionality.

Daniel Black
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rfc5077.patch
Type: text/x-patch
Size: 18286 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20121002/13e9dd44/attachment-0001.bin>

More information about the nginx-devel mailing list