Distributed SSL session cache
Maxim Dounin
mdounin at mdounin.ru
Mon Sep 16 13:37:27 UTC 2013
Hello!
On Mon, Sep 16, 2013 at 11:21:25PM +1000, Daniel Black wrote:
[...]
> > > Is it generally possible to implement session lookup in non-blocking
> > > way in
> > > this case?
> > > If yes - is there any good example of OpenSSL's non-blocking
> > > callbacks?
> >
> > It should be possible, but it will likely require non-trivial
> > changes in OpenSSL. And I don't know any good examples.
>
>
> http://twistedmatrix.com/trac/browser/trunk/twisted/protocols/tls.py is in python and uses python wrapped OpenSSL calls however it is non-blocking.
We are talking about implementing session lookup callbacks in the
OpenSSL in a non-blocking way. Using OpenSSL for non-blocking
communication is what nginx already do.
> > > P.S. As an alternative (and I don't like this idea) - we can
> > > distribute
> > > sessions to nginx cache via custom-written module, something like
> > > it's done
> > > in stud.
> >
> > This should be doable, and probably it's simpliest solution if you
> > want to stick with server-side sessions store.
>
> I was considering name space allocation in the tls ticket name
> amongst servers and an async distribution mechanism amongst
> servers (multicast?). Since there is a 120 bytes of bytes per
> server of session tickets allocating this on every web/mail
> server in a cluster probably isn't a high memory overhead and
> since the session key info is reused its not BW intensive
> either. It also solves some non-blocking aspects associated with
> key retrieval.
>
> On client incompatibility (on ticket renewals), gnutls devs
> fixed it right away, openssl had already done a fix and nss I
> had troubles replicating the problem.
This, again, about distribution of sessions, not session ticket
keys.
If considering distribution of session ticket keys, simpliest
solution would be to just load keys with a configuration. This
allows to don't bother with security of distribution, which
otherwise is a major problem.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list