Distributed SSL session cache
mdounin at mdounin.ru
Mon Sep 16 11:55:26 UTC 2013
On Mon, Sep 16, 2013 at 12:51:38AM +0400, kyprizel wrote:
> SSL session tickets are not good enough b/c they don't support modern
> cipher modes (like GCM) and they don't work with PFS.
This was already replied by Piotr. Session tickets are just a way
to store SSL session on the client, hence I see no problems with
any ciphers. Forward secrecy might be a problem if you use
long-term session tickets keys, but it's more about session
tickets keys rotation.
> Is it generally possible to implement session lookup in non-blocking way in
> this case?
> If yes - is there any good example of OpenSSL's non-blocking callbacks?
It should be possible, but it will likely require non-trivial
changes in OpenSSL. And I don't know any good examples.
> P.S. As an alternative (and I don't like this idea) - we can distribute
> sessions to nginx cache via custom-written module, something like it's done
> in stud.
This should be doable, and probably it's simpliest solution if you
want to stick with server-side sessions store.
More information about the nginx-devel