<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br><div><div>On 03 Mar 2016, at 18:42, B.R. <<a href="mailto:reallfqq-nginx@yahoo.fr">reallfqq-nginx@yahoo.fr</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Thanks, Maxim.<br><br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">You were right: I did my tests improperly...<br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)"><br>What is the use of the 'none' value then? Should not there be only the 'off' one?<br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">There must be some benefit to it, but I fail to catch it.<br></div></div></blockquote><div><br></div><div>Initially it has been implemented for mail proxy module, but it seems that “none”</div><div>is more graceful than “off” in general:</div><div><br></div><span style="font-family: Menlo-Regular; font-size: 11px;"> /*</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> * If the server explicitly says that it does not support</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> * session reuse (see SSL_SESS_CACHE_OFF above), then</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> * Outlook Express fails to upload a sent email to</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> * the Sent Items folder on the IMAP server via a separate IMAP</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> * connection in the background. Therefore we have a special</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE)</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> * where the server pretends that it supports session reuse,</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> * but it does not actually store any session.</span><br style="font-family: Menlo-Regular; font-size: 11px;"><span style="font-family: Menlo-Regular; font-size: 11px;"> */</span><br style="font-family: Menlo-Regular; font-size: 11px;"><br><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">-- <br>Igor Sysoev<br><a href="http://nginx.com">http://nginx.com</a></div><div><br></div></div></div></div><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div><div class="gmail_signature">On Thu, Mar 3, 2016 at 2:29 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:</div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto;">Hello!<br>
<span class=""><br>
On Thu, Mar 03, 2016 at 12:42:55PM +0100, B.R. wrote:<br>
<br>
> Based on the default value of ssl_session_cache<br>
</span>> <<a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache</a>>,<br>
<span class="">> nginx does not store any session parameter, but allows client with the<br>
> right Master Key to reuse their ID (and the parameters they got).<br>
><br>
> Since nginx, does not cache anything and is thus unable to revalidate<br>
> anything but the Master Key, isn't it a violation of the RFC not to<br>
> validate all the parameters?<br>
<br>
</span>You are misunderstanding what "ssl_session_cache none" does. It<br>
doesn't allow anything to be reused, just says so to clients.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</font></span></blockquote></div></div></div></blockquote></div><br></body></html>