Does nginx support SSL resumption?
is at rambler-co.ru
Sat May 30 22:29:57 MSD 2009
On Sat, May 30, 2009 at 10:27:06AM -0700, Michael Shadle wrote:
> 2009/5/30 Igor Sysoev <is at rambler-co.ru>:
> > Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
> > see http://marc.info/?t=120127289900027
> Is this an OpenSSL bug? I think there's an OpenSSL bug I am hitting as
> well with Firefox 3.x (even using the ssl_protocols workaround) - if
> this is a bug in OpenSSL I'd like to go yell at them for both... :)
I believe this is joint effect of some libc malloc() and OpenSSL.
> > Also I do think that shared SSL session cache should be enabled by default.
> I agree.
> > BTW, http://wiki.nginx.org/NginxHttpSslModule is outdated:
> > ssl_session_cache has yet two paramters "off" and "none" (default one):
> > "off" is hard off: nginx says explicitly to a client that sessions can not
> > reused.
> > "none" is soft off: nginx says to a client that session can be resued, but
> > nginx actually never reuses them. This is workaround for some mail clients
> > as ssl_session_cache may be used in mail proxy as well as in HTTP server.
> I've updated the wiki with this information.
> Does it still accept two parameters as shown int he example on the
> wiki? I want to make sure that is still legitimate. I assume that
> means it will use the first cache and fall back to the second if it is
> full or something?
Yes, you still may set both builtin and shared cache simultaneously,
but shared one only is preferable.
> Please verify my changes are correct. I don't want to be putting up
> incorrect information :)
Thank you, this is correct.
More information about the nginx