[PATCH] SSL: raised limit for upstream session size
Sergey Kandaurov
pluknet at nginx.com
Mon Dec 25 20:29:54 UTC 2023
> On 23 Dec 2023, at 01:46, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!
>
> On Fri, Dec 22, 2023 at 06:28:34PM +0400, Sergey Kandaurov wrote:
>
>> # HG changeset patch
>> # User Sergey Kandaurov <pluknet at nginx.com>
>> # Date 1703255284 -14400
>> # Fri Dec 22 18:28:04 2023 +0400
>> # Node ID a463fb67e143c051fd373d1df94e5813a37d5cea
>> # Parent 44266e0651c44f530c4aa66e68c1b9464a9acee7
>> SSL: raised limit for upstream session size.
>>
>> Unlike shared session cache used to store multiple client SSL sessions and
>> which may be per a single SSL connection, sessions saved from upstream are
>> per upstream server peer, so there is no such multiplier effect, but they
>> may be of noticeably larger size due to session tickets being used.
>>
>> It was observed that session tickets sent from JVM backends may result in
>> a decoded session size nearly the previous maximum session size limit of
>> 4096 or slightly beyond. Raising the limit allows to save such sessions.
>
> Session tickets are not expected to be larger than sessions
> itself, except by several bytes used for key identification and
> encryption overhead. I see no reasons why the limit should be
> different in different places.
>
> And 4096 for an SSL session looks a lot. The only justification I
> can assume here is an SSL session with the client certificate (or
> even certificate chain) being saved into the session. It might
> worth looking into what actually happens here.
>
Indeed. Both local and peer certificate chains are serialized and
encrypted as part of constructing a session ticket. Per the original
change to support tickets, this is hardcoded and may not be adjusted:
https://hg.openjdk.org/jdk/jdk/rev/c2398053ee90#l4.352
https://hg.openjdk.org/jdk/jdk/rev/c2398053ee90#l10.261
--
Sergey Kandaurov
More information about the nginx-devel
mailing list