TLS/SSL Cache Automatic Purge

Arnaud Van der Vorst sbxara at icloud.com
Mon Apr 11 12:23:40 UTC 2016


Hi B.R.,

 

Thank you very much for your answer and sorry for the US media political like message ;-)

So, if I understand correctly, using ssl_session_timeout makes sure that after the specified amount of time, the TLS/SSL Sessions will be removed/purged from the TLS/SSL Shared Cache?

Is that correct?

 

Kind regards,

 

Arnaud

 

From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of B.R.
Sent: lundi 11 avril 2016 13:23
To: nginx ML <nginx at nginx.org>
Subject: Re: TLS/SSL Cache Automatic Purge

 

Sounds like US media political messages: 'I am Arnaud, and I approve this message'. That said, welcome!


You will have to write your own module if you want to manually delete TLS sessions parameters instead of letting them expire after 10 minutes.

You could also emulate this daily purge by keeping stock nginx but setting :
ssl_session_timeout 1d;

albeit I for one do not recommend such settings since sessions parameters should probably not be remembered that long for several reasons...

On a side-note, by default nginx does not store session parameters as it prefers tickets <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets> , supported since v1.5.9, over sessions ID.

The former is a more recent mechanism than the latter, and has the notable benefit of storing session parameters client-side, which scales, avoids cache management trouble as yours and some other ones. There are some docs <http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#TLS_RESUME>  about that in the Web tubes.

Why not sticking with those defaults (or even set ssl_session_cache to off to be absolutely clear)?

---
B. R.

 

On Mon, Apr 11, 2016 at 10:41 AM, Arnaud Van der Vorst <sbxara at icloud.com <mailto:sbxara at icloud.com> > wrote:

Hi,

 

My name is Arnaud and I am new to the list.

 

I would like to know if NGINX is using any automatic purge mechanism for its TLS/SSL Cache configured using the following directives:

ssl_session_timeout 10m;

ssl_session_cache shared:SSL:10m;

 

I understand that a daily purge of TLS/SSL Cache is highly recommended to avoid breaking Perfect Forward Secrecy of the TLS Protocol.

If it does NOT use automatic purge, how can I purge the Shared cache used by NGINX then?

Are there any command line tools for that purpose?

 

Thank you very much in advance for your answer and have a nice day!

 

Kind regards,

 

Arnaud


_______________________________________________
nginx mailing list
nginx at nginx.org <mailto:nginx at nginx.org> 
http://mailman.nginx.org/mailman/listinfo/nginx

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160411/e070c442/attachment.html>


More information about the nginx mailing list