Distributed SSL session cache

Maxim Dounin mdounin at mdounin.ru
Mon Sep 16 13:37:27 UTC 2013


Hello!

On Mon, Sep 16, 2013 at 11:21:25PM +1000, Daniel Black wrote:

[...]

> > > Is it generally possible to implement session lookup in non-blocking
> > > way in
> > > this case?
> > > If yes - is there any good example of OpenSSL's non-blocking
> > > callbacks?
> > 
> > It should be possible, but it will likely require non-trivial
> > changes in OpenSSL. And I don't know any good examples.
> 
> 
> http://twistedmatrix.com/trac/browser/trunk/twisted/protocols/tls.py is in python and uses python wrapped OpenSSL calls however it is non-blocking.

We are talking about implementing session lookup callbacks in the 
OpenSSL in a non-blocking way.  Using OpenSSL for non-blocking 
communication is what nginx already do.

> > > P.S. As an alternative (and I don't like this idea) - we can
> > > distribute
> > > sessions to nginx cache via custom-written module, something like
> > > it's done
> > > in stud.
> > 
> > This should be doable, and probably it's simpliest solution if you
> > want to stick with server-side sessions store.
> 
> I was considering name space allocation in the tls ticket name 
> amongst servers and an async distribution mechanism amongst 
> servers (multicast?). Since there is a 120 bytes of bytes per 
> server of session tickets allocating this on every web/mail 
> server in a cluster probably isn't a high memory overhead and 
> since the session key info is reused its not BW intensive 
> either. It also solves some non-blocking aspects associated with 
> key retrieval.
> 
> On client incompatibility (on ticket renewals), gnutls devs 
> fixed it right away, openssl had already done a fix and nss I 
> had troubles replicating the problem.

This, again, about distribution of sessions, not session ticket 
keys.

If considering distribution of session ticket keys, simpliest 
solution would be to just load keys with a configuration.  This 
allows to don't bother with security of distribution, which 
otherwise is a major problem.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list