[alert] could not add new SSL session to the session cache while SSL handshaking

Maxim Dounin mdounin at mdounin.ru
Mon Mar 3 17:45:18 UTC 2014


On Mon, Mar 03, 2014 at 05:11:22PM +0000, Reid, Mike wrote:

> I am experiencing the following in my error logs after a recent 
> upgrade to NGiNX 1.5.10 (from 1.5.8), and also applying SSL / 
> TLS updates as described on istlsfastyet.com
> [alert] 3319#0: *301399 could not add new SSL session to the 
> session cache while SSL handshaking
> Any ideas on why these alerts would now be showing up? I am not 
> sure how to address, or whether there should be cause for 
> concern?
> NGiNX 1.5.10 w/ SPDY 3.1 # Previously 1.5.8, now including 
> --with-http_spdy_module and using openssl-1.0.1f (previously 
> openssl-1.0.1e without http_spdy_module)
> ssl_session_cache shared:SSL:10m; # No change
> ssl_buffer_size 1400; # New
> ssl_session_timeout 24h; # Previously 10m
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; # No change

You've changed SSL session timeout from 10 minutes to 24 hours, 
and this basically means that sessions will use 144 times more 
space in session cache.  On the other hand, cache size wasn't 
changed - so you've run out of space in the cache configured.  If 
there is no space in a cache nginx will try to drop one 
non-expired session from the cache, but it may not be enough to 
store a new session (as different sessions may occupy different 
space), resulting in alerts you've quoted.

Note well that configuring ssl_buffer_size to 1400 isn't a good 
idea unless you are doing so for your own performance testing.  
See previous discussions for details.

Overral, this doesn't looks relevant to nginx-devel at .  Please use 
nginx@ for futher questions.

Maxim Dounin

More information about the nginx-devel mailing list