Distributed SSL session cache
mdounin at mdounin.ru
Mon Sep 16 13:37:27 UTC 2013
On Mon, Sep 16, 2013 at 11:21:25PM +1000, Daniel Black wrote:
> > > Is it generally possible to implement session lookup in non-blocking
> > > way in
> > > this case?
> > > If yes - is there any good example of OpenSSL's non-blocking
> > > callbacks?
> > It should be possible, but it will likely require non-trivial
> > changes in OpenSSL. And I don't know any good examples.
> http://twistedmatrix.com/trac/browser/trunk/twisted/protocols/tls.py is in python and uses python wrapped OpenSSL calls however it is non-blocking.
We are talking about implementing session lookup callbacks in the
OpenSSL in a non-blocking way. Using OpenSSL for non-blocking
communication is what nginx already do.
> > > P.S. As an alternative (and I don't like this idea) - we can
> > > distribute
> > > sessions to nginx cache via custom-written module, something like
> > > it's done
> > > in stud.
> > This should be doable, and probably it's simpliest solution if you
> > want to stick with server-side sessions store.
> I was considering name space allocation in the tls ticket name
> amongst servers and an async distribution mechanism amongst
> servers (multicast?). Since there is a 120 bytes of bytes per
> server of session tickets allocating this on every web/mail
> server in a cluster probably isn't a high memory overhead and
> since the session key info is reused its not BW intensive
> either. It also solves some non-blocking aspects associated with
> key retrieval.
> On client incompatibility (on ticket renewals), gnutls devs
> fixed it right away, openssl had already done a fix and nss I
> had troubles replicating the problem.
This, again, about distribution of sessions, not session ticket
If considering distribution of session ticket keys, simpliest
solution would be to just load keys with a configuration. This
allows to don't bother with security of distribution, which
otherwise is a major problem.
More information about the nginx-devel