[PATCH] SSL: respect session timeout in configs without session cache.

Piotr Sikora piotr at cloudflare.com
Thu Oct 10 23:49:15 UTC 2013


Hey Maxim,

> Huh?
>
> The SSL_CTX_set_timeout is a function which is documented to
> "manipulate timeout values for session caching" [1], and it looks
> quite reasonable for me to be set in a block responsible for
> session cache logic.
>
> I would rather think about TLS Session Tickets as a specific way
> to cache sessions.

Session cache (server-side) and Session Tickets (client-side) are two
different approaches to do the session resumption. Session timeout (at
least in OpenSSL) applies to both of them, but existing nginx code
(and your patch) calls SSL_CTX_set_timeout() within session cache
(server-side) code block, even though session timeout is used in
setups without session cache (server-side).

But if you disagree with my logic, then feel free to commit your
patch, you're the gatekeeper so I'm fine with that.

> [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_timeout.html

OpenSSL documentation is terrible and a lot of time outdated, I
wouldn't be surprised if this was written before Session Tickets
support was added.

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list