SSL session resumption. SSL Labs test.
António P. P. Almeida
appa at perusio.net
Mon Nov 22 06:39:06 MSK 2010
On 22 Nov 2010 03h02 WET, mdounin at mdounin.ru wrote:
Hello Maxim,
Thank you for your reply.
> Session establishmen/resumption happens before SNI handling.
> Therefore configuring session cache within SNI-only server{} won't
> work, you have to configure one in default server for the socket
> in question.
So the session resumption is done using a mapping that related IPs
with session IDs. Completely oblivious to anything related with
server_name.
> This is how it's done in OpenSSL, and it seems to be what actually
> required by RFC4366 (http://tools.ietf.org/html/rfc4366#section-3):
>
> - If, on the other hand, the older session is resumed, then the
> server MUST ignore the extensions and send a server hello
> containing none of the extension types. In this case, the
> functionality of these extensions negotiated during the original
> session initiation is applied to the resumed session.
I tried this:
listen [::]:443 ssl default_server; # ipv6
while leaving the '_' server_name for the HTTP default server. But
gnutls-bin gives the same results. No session resumption support. It
requires a regular default_server, i.e.,
listen [::]:80 default_server; # ipv6
And the session cache configured in the correct server. This means
that I must ditch the "illegal" Host header server block so it seems
in order to get SSL session resumption to work :(
--- appa
More information about the nginx
mailing list