SSL session resumption. SSL Labs test.

António P. P. Almeida appa at perusio.net
Mon Nov 22 06:39:06 MSK 2010


On 22 Nov 2010 03h02 WET, mdounin at mdounin.ru wrote:

Hello Maxim,

Thank you for your reply.


> Session establishmen/resumption happens before SNI handling.  
> Therefore configuring session cache within SNI-only server{} won't 
> work, you have to configure one in default server for the socket 
> in question.

So the session resumption is done using a mapping that related IPs
with session IDs. Completely oblivious to anything related with
server_name.

> This is how it's done in OpenSSL, and it seems to be what actually 
> required by RFC4366 (http://tools.ietf.org/html/rfc4366#section-3):
>
> -  If, on the other hand, the older session is resumed, then the
> server MUST ignore the extensions and send a server hello
> containing none of the extension types.  In this case, the
> functionality of these extensions negotiated during the original
> session initiation is applied to the resumed session.

I tried this:

listen [::]:443 ssl default_server; # ipv6

while leaving the '_' server_name for the HTTP default server. But
gnutls-bin gives the same results. No session resumption support. It
requires a regular default_server, i.e., 

listen [::]:80 default_server; # ipv6

And the session cache configured in the correct server. This means
that I must ditch the "illegal" Host header server block so it seems
in order to get SSL session resumption to work :(

--- appa




More information about the nginx mailing list