Distributed SSL session cache

kyprizel kyprizel at gmail.com
Sun Sep 15 20:51:38 UTC 2013


SSL session tickets are not good enough b/c they don't support modern
cipher modes (like GCM) and they don't work with PFS.

Is it generally possible to implement session lookup in non-blocking way in
this case?
If yes - is there any good example of OpenSSL's non-blocking callbacks?

P.S. As an alternative (and I don't like this idea) - we can distribute
sessions to nginx cache via custom-written module, something like it's done
in stud.




On Sat, Sep 14, 2013 at 11:06 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Sat, Sep 14, 2013 at 02:49:49PM +0400, kyprizel wrote:
>
> > Hi,
> > I'm thinking on design of patch for adding distributed SSL session cache
> > and have a question -
> > is it  possible and ok to create keepalive upstream to some storage
> > (memcached/redis/etc), then use it from
> > ngx_ssl_new_session/ngx_ssl_get_cached_session ?
>
> As far as I remember, OpenSSL doesn't provide a non-blocking
> interface to session lookup (I've just did a quick look though
> code, and it seems I remeber it right).  This basically ruins the
> the idea unless you are brave enough to implement needed
> interfaces in OpenSSL.
>
> I would rather focus on a support for SSL session tickets shared
> between multiple servers.
>
> --
> Maxim Dounin
> http://nginx.org/en/donation.html
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130916/cfe00d52/attachment.html>


More information about the nginx-devel mailing list