[PATCH] SSL: raised limit for upstream session size
Maxim Dounin
mdounin at mdounin.ru
Fri Dec 22 21:46:47 UTC 2023
Hello!
On Fri, Dec 22, 2023 at 06:28:34PM +0400, Sergey Kandaurov wrote:
> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1703255284 -14400
> # Fri Dec 22 18:28:04 2023 +0400
> # Node ID a463fb67e143c051fd373d1df94e5813a37d5cea
> # Parent 44266e0651c44f530c4aa66e68c1b9464a9acee7
> SSL: raised limit for upstream session size.
>
> Unlike shared session cache used to store multiple client SSL sessions and
> which may be per a single SSL connection, sessions saved from upstream are
> per upstream server peer, so there is no such multiplier effect, but they
> may be of noticeably larger size due to session tickets being used.
>
> It was observed that session tickets sent from JVM backends may result in
> a decoded session size nearly the previous maximum session size limit of
> 4096 or slightly beyond. Raising the limit allows to save such sessions.
Session tickets are not expected to be larger than sessions
itself, except by several bytes used for key identification and
encryption overhead. I see no reasons why the limit should be
different in different places.
And 4096 for an SSL session looks a lot. The only justification I
can assume here is an SSL session with the client certificate (or
even certificate chain) being saved into the session. It might
worth looking into what actually happens here.
[...]
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list