[PATCH] SSL: raised limit for upstream session size

Maxim Dounin mdounin at mdounin.ru
Fri Dec 22 21:46:47 UTC 2023


Hello!

On Fri, Dec 22, 2023 at 06:28:34PM +0400, Sergey Kandaurov wrote:

> # HG changeset patch
> # User Sergey Kandaurov <pluknet at nginx.com>
> # Date 1703255284 -14400
> #      Fri Dec 22 18:28:04 2023 +0400
> # Node ID a463fb67e143c051fd373d1df94e5813a37d5cea
> # Parent  44266e0651c44f530c4aa66e68c1b9464a9acee7
> SSL: raised limit for upstream session size.
> 
> Unlike shared session cache used to store multiple client SSL sessions and
> which may be per a single SSL connection, sessions saved from upstream are
> per upstream server peer, so there is no such multiplier effect, but they
> may be of noticeably larger size due to session tickets being used.
> 
> It was observed that session tickets sent from JVM backends may result in
> a decoded session size nearly the previous maximum session size limit of
> 4096 or slightly beyond.  Raising the limit allows to save such sessions.

Session tickets are not expected to be larger than sessions 
itself, except by several bytes used for key identification and 
encryption overhead.  I see no reasons why the limit should be 
different in different places.

And 4096 for an SSL session looks a lot.  The only justification I 
can assume here is an SSL session with the client certificate (or 
even certificate chain) being saved into the session.  It might 
worth looking into what actually happens here.

[...]

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list