[PATCH] rfc5077 session tickets

[Maxim Dounin]

Hello!

On Tue, Oct 02, 2012 at 12:09:48PM +1000, Daniel Black wrote:

> 
> For a quick summary of session tickets look at http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html and for a longer version read the rfc.
> 
> Session tickets are supported in chrome and firefox browsers.
> 
> Both session tickets and session id (the current session implementation) allow the server to resume SSL/TLS session with a quicker round trip and less cryptographic material generation.
> 
> The advantage of session tickets over session ids is that the server can now handle an unlimited number of session resumption clients using a fixed amount of shared memory (52 bytes).
> 
> It also handles resumption for client side certificates.
> 
> Because there's no memory cost for these they have a larger timeout value allowing those clients to have a quicker resumption (one round trip quicker) when they connect within the ssl_ticket_timeout.
> 
> This also disables session tickets when a shared memory isn't setup. This is a current problem when there is more than one worker. By default openssl handles session tickets using an internal buffer that isn't shared between processes. As such clients are likely to go through a renegotiation.
> 
> This requires previous sent patches:
> [PATCH] allow printing of string buffers in hex format
> [PATCH] cast results of ngx_ssl_get_connection to right type
> 
> Originally submitted as part of http://trac.nginx.org/nginx/ticket/120

As I already replied in the ticket, the only real thing that the 
patch adds compared to what we have now with OpenSSL's default 
session ticket code is session ticket timeout.  While it's 
something valuable per se, it's unlikely deserve the amount of 
code introduced.

On the other hand, the patch breaks existing session tickets support if 
there are multiple worker processes configure unless shared 
ssl_session_cache is configure as well.  

[...]

-- 
Maxim Dounin
http://nginx.com/support.html