Distributed SSL session cache

kyprizel kyprizel at gmail.com
Mon Sep 16 09:03:09 UTC 2013


Piotr, are we talking about "session tickets" (
http://tools.ietf.org/html/rfc4507) ?



On Mon, Sep 16, 2013 at 12:30 PM, Piotr Sikora <piotr at cloudflare.com> wrote:

> Hello,
>
> > SSL session tickets are not good enough b/c they don't support modern
> cipher modes (like GCM) and they don't work with PFS.
>
> Neither is true. Below is the output of nginx's debug log for two SSL
> handshakes. First connection creates new session (and does full
> handshake), while the second one successfully reuses session (and is
> doing only abbreviated handshake) using Session Ticket from the first
> connection. As you can see, there was no problem with negotiating TLS
> 1.2 or PFS cipher suite.
>
> [debug] 20655#0: *1 SSL_accept: before/accept initialization
> [debug] 20655#0: *1 SSL server name: "localhost"
> [debug] 20655#0: *1 SSL_accept: SSLv3 read client hello A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write server hello A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write certificate A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write key exchange A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write server done A
> [debug] 20655#0: *1 SSL_accept: SSLv3 flush data
> [debug] 20655#0: *1 SSL_do_handshake: -1
> [debug] 20655#0: *1 SSL_get_error: 2
> [debug] 20655#0: *1 SSL handshake handler: 0
> [debug] 20655#0: *1 SSL_accept: SSLv3 read client key exchange A
> [debug] 20655#0: *1 SSL_accept: SSLv3 read finished A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write session ticket A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write change cipher spec A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write finished A
> [debug] 20655#0: *1 SSL_accept: SSLv3 flush data
> [debug] 20655#0: *1 SSL_do_handshake: 1
> [debug] 20655#0: *1 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256
> TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"
>
> [debug] 20655#0: *2 SSL_accept: before/accept initialization
> [debug] 20655#0: *2 SSL server name: "localhost"
> [debug] 20655#0: *2 SSL_accept: SSLv3 read client hello A
> [debug] 20655#0: *2 SSL_accept: SSLv3 write server hello A
> [debug] 20655#0: *2 SSL_accept: SSLv3 write change cipher spec A
> [debug] 20655#0: *2 SSL_accept: SSLv3 write finished A
> [debug] 20655#0: *2 SSL_accept: SSLv3 flush data
> [debug] 20655#0: *2 SSL_do_handshake: -1
> [debug] 20655#0: *2 SSL_get_error: 2
> [debug] 20655#0: *2 SSL handshake handler: 0
> [debug] 20655#0: *2 SSL_accept: SSLv3 read finished A
> [debug] 20655#0: *2 SSL_do_handshake: 1
> [debug] 20655#0: *2 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256
> TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"
> [debug] 20655#0: *2 SSL reused session
>
> Best regards,
> Piotr Sikora
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130916/2abf32b7/attachment-0001.html>


More information about the nginx-devel mailing list