Does nginx support SSL resumption?
Igor Sysoev
is at rambler-co.ru
Sat May 30 11:33:52 MSD 2009
On Sat, May 30, 2009 at 12:04:27AM -0700, Michael Shadle wrote:
> Is there any reason for not enabling this? some sort of possible security risk?
> Seems like it saves a lot of negotiation overhead on each request
Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
see http://marc.info/?t=120127289900027
Also I do think that shared SSL session cache should be enabled by default.
BTW, http://wiki.nginx.org/NginxHttpSslModule is outdated:
ssl_session_cache has yet two paramters "off" and "none" (default one):
"off" is hard off: nginx says explicitly to a client that sessions can not
reused.
"none" is soft off: nginx says to a client that session can be resued, but
nginx actually never reuses them. This is workaround for some mail clients
as ssl_session_cache may be used in mail proxy as well as in HTTP server.
> This is what I mean by "SSL resumption" I think it's what you're
> talking about too.
> http://rdist.root.org/2009/03/10/note-to-wordpress-on-ssl/
>
>
>
> 2009/5/29 Igor Sysoev <is at rambler-co.ru>:
> > On Fri, May 29, 2009 at 04:09:23PM -0700, Michael Shadle wrote:
> >
> >> If so, is it enabled by default? How can I enable it?
> >
> > If you mean SSL session reusing, then
> >
> > ssl_session_cache shared:SSL:10m;
> >
> > Default is "ssl_session_cache none".
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> >
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list