nginx and ephemeral Diffie-Hellman keys
Igor Sysoev
is at rambler-co.ru
Sat Jun 14 01:06:33 MSD 2008
On Fri, Jun 13, 2008 at 10:53:29PM +0200, Jauder Ho wrote:
>
> Looking at the RFC text, if nginx sends TLS close notify, and does not
> wait, does it reuse the session?
Yes, nginx allows to reuse sessions.
However, you should use cache shared across workers:
http://wiki.codemongers.com/NginxHttpSslModule#ssl_session_cache
> The other test case would be of premature close (if client closes
> connection without sending alert), session must be abandoned and not
> reused.
No, nginx nevertheless allows to reuse these sessions,
otherwise all MSIE connections will require SSL handshake.
> Igor Sysoev wrote:
> > On Fri, Jun 13, 2008 at 01:55:21PM +0200, Jauder Ho wrote:
> >
> >> On a separate note, in testing with
> >> http://www.serversniff.net/sslcheck.php
> >>
> >> It is noted that nginx only partially supports TLS closures. See section
> >> 2.2 of http://tools.ietf.org/html/rfc2818
> >
> > I do not know what they means under partially support of TLS closures,
> > however, nginx sends TLS close notify alert, but does not wait it from
> > client because many browsers including MSIE does not send this alert.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list