Distributed SSL session cache

Maxim Dounin mdounin at mdounin.ru
Mon Sep 16 13:37:27 UTC 2013


On Mon, Sep 16, 2013 at 11:21:25PM +1000, Daniel Black wrote:


> > > Is it generally possible to implement session lookup in non-blocking
> > > way in
> > > this case?
> > > If yes - is there any good example of OpenSSL's non-blocking
> > > callbacks?
> > 
> > It should be possible, but it will likely require non-trivial
> > changes in OpenSSL. And I don't know any good examples.
> http://twistedmatrix.com/trac/browser/trunk/twisted/protocols/tls.py is in python and uses python wrapped OpenSSL calls however it is non-blocking.

We are talking about implementing session lookup callbacks in the 
OpenSSL in a non-blocking way.  Using OpenSSL for non-blocking 
communication is what nginx already do.

> > > P.S. As an alternative (and I don't like this idea) - we can
> > > distribute
> > > sessions to nginx cache via custom-written module, something like
> > > it's done
> > > in stud.
> > 
> > This should be doable, and probably it's simpliest solution if you
> > want to stick with server-side sessions store.
> I was considering name space allocation in the tls ticket name 
> amongst servers and an async distribution mechanism amongst 
> servers (multicast?). Since there is a 120 bytes of bytes per 
> server of session tickets allocating this on every web/mail 
> server in a cluster probably isn't a high memory overhead and 
> since the session key info is reused its not BW intensive 
> either. It also solves some non-blocking aspects associated with 
> key retrieval.
> On client incompatibility (on ticket renewals), gnutls devs 
> fixed it right away, openssl had already done a fix and nss I 
> had troubles replicating the problem.

This, again, about distribution of sessions, not session ticket 

If considering distribution of session ticket keys, simpliest 
solution would be to just load keys with a configuration.  This 
allows to don't bother with security of distribution, which 
otherwise is a major problem.

Maxim Dounin

More information about the nginx-devel mailing list