Distributed SSL session cache

Piotr Sikora piotr at cloudflare.com
Mon Sep 16 08:30:30 UTC 2013 

Hello,

> SSL session tickets are not good enough b/c they don't support modern cipher modes (like GCM) and they don't work with PFS.

Neither is true. Below is the output of nginx's debug log for two SSL
handshakes. First connection creates new session (and does full
handshake), while the second one successfully reuses session (and is
doing only abbreviated handshake) using Session Ticket from the first
connection. As you can see, there was no problem with negotiating TLS
1.2 or PFS cipher suite.

[debug] 20655#0: *1 SSL_accept: before/accept initialization
[debug] 20655#0: *1 SSL server name: "localhost"
[debug] 20655#0: *1 SSL_accept: SSLv3 read client hello A
[debug] 20655#0: *1 SSL_accept: SSLv3 write server hello A
[debug] 20655#0: *1 SSL_accept: SSLv3 write certificate A
[debug] 20655#0: *1 SSL_accept: SSLv3 write key exchange A
[debug] 20655#0: *1 SSL_accept: SSLv3 write server done A
[debug] 20655#0: *1 SSL_accept: SSLv3 flush data
[debug] 20655#0: *1 SSL_do_handshake: -1
[debug] 20655#0: *1 SSL_get_error: 2
[debug] 20655#0: *1 SSL handshake handler: 0
[debug] 20655#0: *1 SSL_accept: SSLv3 read client key exchange A
[debug] 20655#0: *1 SSL_accept: SSLv3 read finished A
[debug] 20655#0: *1 SSL_accept: SSLv3 write session ticket A
[debug] 20655#0: *1 SSL_accept: SSLv3 write change cipher spec A
[debug] 20655#0: *1 SSL_accept: SSLv3 write finished A
[debug] 20655#0: *1 SSL_accept: SSLv3 flush data
[debug] 20655#0: *1 SSL_do_handshake: 1
[debug] 20655#0: *1 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"

[debug] 20655#0: *2 SSL_accept: before/accept initialization
[debug] 20655#0: *2 SSL server name: "localhost"
[debug] 20655#0: *2 SSL_accept: SSLv3 read client hello A
[debug] 20655#0: *2 SSL_accept: SSLv3 write server hello A
[debug] 20655#0: *2 SSL_accept: SSLv3 write change cipher spec A
[debug] 20655#0: *2 SSL_accept: SSLv3 write finished A
[debug] 20655#0: *2 SSL_accept: SSLv3 flush data
[debug] 20655#0: *2 SSL_do_handshake: -1
[debug] 20655#0: *2 SSL_get_error: 2
[debug] 20655#0: *2 SSL handshake handler: 0
[debug] 20655#0: *2 SSL_accept: SSLv3 read finished A
[debug] 20655#0: *2 SSL_do_handshake: 1
[debug] 20655#0: *2 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"
[debug] 20655#0: *2 SSL reused session

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list