Does nginx support SSL resumption?

Igor Sysoev is at rambler-co.ru
Sat May 30 22:29:57 MSD 2009


On Sat, May 30, 2009 at 10:27:06AM -0700, Michael Shadle wrote:

> 2009/5/30 Igor Sysoev <is at rambler-co.ru>:
> 
> > Yes. However, built-in OpenSSL session cache leads to memory fragmentation,
> > see http://marc.info/?t=120127289900027
>
> Is this an OpenSSL bug? I think there's an OpenSSL bug I am hitting as
> well with Firefox 3.x (even using the ssl_protocols workaround) - if
> this is a bug in OpenSSL I'd like to go yell at them for both... :)

I believe this is joint effect of some libc malloc() and OpenSSL.

> > Also I do think that shared SSL session cache should be enabled by default.
>
> I agree.
>
> > BTW, http://wiki.nginx.org/NginxHttpSslModule is outdated:
> > ssl_session_cache has yet two paramters "off" and "none" (default one):
> >
> > "off" is hard off: nginx says explicitly to a client that sessions can not
> > reused.
> >
> > "none" is soft off: nginx says to a client that session can be resued, but
> > nginx actually never reuses them. This is workaround for some mail clients
> > as ssl_session_cache may be used in mail proxy as well as in HTTP server.
>
> I've updated the wiki with this information.
> http://wiki.nginx.org/NginxHttpSslModule#ssl_session_cache
> 
> Does it still accept two parameters as shown int he example on the
> wiki? I want to make sure that is still legitimate. I assume that
> means it will use the first cache and fall back to the second if it is
> full or something?

Yes, you still may set both builtin and shared cache simultaneously,
but shared one only is preferable.

> Please verify my changes are correct. I don't want to be putting up
> incorrect information :)

Thank you, this is correct.


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list