<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Thanks Igor, that makes the whole thing crystal clear!<br><br>What saves us there is the fact that, if I understand it well, the <a href="https://tools.ietf.org/html/rfc5077#section-3.4">RFC 5077</a> states the server decides by itself on the use of tickets and those have precedence over identifiers.<br>But still, advertising something without actually supporting it must lead to cases where sessions reuse is believed to take place without ever happening, harming performance... that was probably happening in versions < 1.5.9.<br><br>Giving the possibility to accomodate with Outlook (and Microsoft products in general) numerous quirks is fine, but making it the default is debatable... Maybe the docs should be more explicit about the reason of the existence of 'none'? Code comments are clearer than the docs on this matter.<br></div><div class="gmail_extra"><div><div class="gmail_signature"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div></div>
<br><div class="gmail_quote">On Thu, Mar 3, 2016 at 4:48 PM, Igor Sysoev <span dir="ltr"><<a href="mailto:igor@sysoev.ru" target="_blank">igor@sysoev.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><span class=""><div>On 03 Mar 2016, at 18:42, B.R. <<a href="mailto:reallfqq-nginx@yahoo.fr" target="_blank">reallfqq-nginx@yahoo.fr</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr"><div style="font-size:small;color:rgb(51,51,153)">Thanks, Maxim.<br><br></div><div style="font-size:small;color:rgb(51,51,153)">You were right: I did my tests improperly...<br></div><div style="font-size:small;color:rgb(51,51,153)"><br>What is the use of the 'none' value then? Should not there be only the 'off' one?<br></div><div style="font-size:small;color:rgb(51,51,153)">There must be some benefit to it, but I fail to catch it.<br></div></div></blockquote><div><br></div></span><div>Initially it has been implemented for mail proxy module, but it seems that “none”</div><div>is more graceful than “off” in general:</div><div><br></div><span style="font-family:Menlo-Regular;font-size:11px"> /*</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> * If the server explicitly says that it does not support</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> * session reuse (see SSL_SESS_CACHE_OFF above), then</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> * Outlook Express fails to upload a sent email to</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> * the Sent Items folder on the IMAP server via a separate IMAP</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> * connection in the background. Therefore we have a special</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE)</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> * where the server pretends that it supports session reuse,</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> * but it does not actually store any session.</span><br style="font-family:Menlo-Regular;font-size:11px"><span style="font-family:Menlo-Regular;font-size:11px"> */</span><span class="HOEnZb"><font color="#888888"><br style="font-family:Menlo-Regular;font-size:11px"><br><div><div style="word-wrap:break-word"><div style="word-wrap:break-word"><div style="word-wrap:break-word">-- <br>Igor Sysoev<br><a href="http://nginx.com" target="_blank">http://nginx.com</a></div><div><br></div></div></div></div></font></span><span class=""><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div><div>On Thu, Mar 3, 2016 at 2:29 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:</div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hello!<br>
<span><br>
On Thu, Mar 03, 2016 at 12:42:55PM +0100, B.R. wrote:<br>
<br>
> Based on the default value of ssl_session_cache<br>
</span>> <<a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache</a>>,<br>
<span>> nginx does not store any session parameter, but allows client with the<br>
> right Master Key to reuse their ID (and the parameters they got).<br>
><br>
> Since nginx, does not cache anything and is thus unable to revalidate<br>
> anything but the Master Key, isn't it a violation of the RFC not to<br>
> validate all the parameters?<br>
<br>
</span>You are misunderstanding what "ssl_session_cache none" does. It<br>
doesn't allow anything to be reused, just says so to clients.<br>
<span><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</font></span></blockquote></div></div></div></blockquote></span></div><br></div><br>_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></blockquote></div><br></div></div>