Distributed SSL session cache

Maxim Dounin mdounin at mdounin.ru
Mon Sep 16 11:55:26 UTC 2013


Hello!

On Mon, Sep 16, 2013 at 12:51:38AM +0400, kyprizel wrote:

> SSL session tickets are not good enough b/c they don't support modern
> cipher modes (like GCM) and they don't work with PFS.

This was already replied by Piotr.  Session tickets are just a way 
to store SSL session on the client, hence I see no problems with 
any ciphers.  Forward secrecy might be a problem if you use 
long-term session tickets keys, but it's more about session 
tickets keys rotation.

> Is it generally possible to implement session lookup in non-blocking way in
> this case?
> If yes - is there any good example of OpenSSL's non-blocking callbacks?

It should be possible, but it will likely require non-trivial 
changes in OpenSSL.  And I don't know any good examples.

> P.S. As an alternative (and I don't like this idea) - we can distribute
> sessions to nginx cache via custom-written module, something like it's done
> in stud.

This should be doable, and probably it's simpliest solution if you 
want to stick with server-side sessions store.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list