[PATCH] SSL: raised limit for upstream session size

Sergey Kandaurov pluknet at nginx.com
Mon Dec 25 20:29:54 UTC 2023


> On 23 Dec 2023, at 01:46, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> Hello!
> 
> On Fri, Dec 22, 2023 at 06:28:34PM +0400, Sergey Kandaurov wrote:
> 
>> # HG changeset patch
>> # User Sergey Kandaurov <pluknet at nginx.com>
>> # Date 1703255284 -14400
>> #      Fri Dec 22 18:28:04 2023 +0400
>> # Node ID a463fb67e143c051fd373d1df94e5813a37d5cea
>> # Parent  44266e0651c44f530c4aa66e68c1b9464a9acee7
>> SSL: raised limit for upstream session size.
>> 
>> Unlike shared session cache used to store multiple client SSL sessions and
>> which may be per a single SSL connection, sessions saved from upstream are
>> per upstream server peer, so there is no such multiplier effect, but they
>> may be of noticeably larger size due to session tickets being used.
>> 
>> It was observed that session tickets sent from JVM backends may result in
>> a decoded session size nearly the previous maximum session size limit of
>> 4096 or slightly beyond.  Raising the limit allows to save such sessions.
> 
> Session tickets are not expected to be larger than sessions 
> itself, except by several bytes used for key identification and 
> encryption overhead.  I see no reasons why the limit should be 
> different in different places.
> 
> And 4096 for an SSL session looks a lot.  The only justification I 
> can assume here is an SSL session with the client certificate (or 
> even certificate chain) being saved into the session.  It might 
> worth looking into what actually happens here.
> 

Indeed.  Both local and peer certificate chains are serialized and
encrypted as part of constructing a session ticket.  Per the original
change to support tickets, this is hardcoded and may not be adjusted:
https://hg.openjdk.org/jdk/jdk/rev/c2398053ee90#l4.352
https://hg.openjdk.org/jdk/jdk/rev/c2398053ee90#l10.261

-- 
Sergey Kandaurov


More information about the nginx-devel mailing list