[alert] could not add new SSL session to the session cache while SSL handshaking

[Reid, Mike]

Thanks, Maxim. I appreciate it. Will do.



On 3/3/14, 10:45 AM, "Maxim Dounin" <mdounin at mdounin.ru> wrote:

>Hello!
>
>On Mon, Mar 03, 2014 at 05:11:22PM +0000, Reid, Mike wrote:
>
>> I am experiencing the following in my error logs after a recent
>> upgrade to NGiNX 1.5.10 (from 1.5.8), and also applying SSL /
>> TLS updates as described on istlsfastyet.com
>> 
>> [alert] 3319#0: *301399 could not add new SSL session to the
>> session cache while SSL handshaking
>> 
>> Any ideas on why these alerts would now be showing up? I am not
>> sure how to address, or whether there should be cause for
>> concern?
>> 
>> NGiNX 1.5.10 w/ SPDY 3.1 # Previously 1.5.8, now including
>> --with-http_spdy_module and using openssl-1.0.1f (previously
>> openssl-1.0.1e without http_spdy_module)
>> ssl_session_cache shared:SSL:10m; # No change
>> ssl_buffer_size 1400; # New
>> ssl_session_timeout 24h; # Previously 10m
>> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; # No change
>
>You've changed SSL session timeout from 10 minutes to 24 hours,
>and this basically means that sessions will use 144 times more
>space in session cache.  On the other hand, cache size wasn't
>changed - so you've run out of space in the cache configured.  If
>there is no space in a cache nginx will try to drop one
>non-expired session from the cache, but it may not be enough to
>store a new session (as different sessions may occupy different
>space), resulting in alerts you've quoted.
>
>Note well that configuring ssl_buffer_size to 1400 isn't a good
>idea unless you are doing so for your own performance testing.
>See previous discussions for details.
>
>Overral, this doesn't looks relevant to nginx-devel at .  Please use
>nginx@ for futher questions.
>
>-- 
>Maxim Dounin
>http://nginx.org/
>
>_______________________________________________
>nginx-devel mailing list
>nginx-devel at nginx.org
>http://mailman.nginx.org/mailman/listinfo/nginx-devel