TLS/SSL Cache Automatic Purge

Tue Apr 12 06:30:23 UTC 2016

Hi,

@B.R.

Not really…

The only information for ssl_session_timout is “Specifies a time during which a client may reuse the session parameters stored in a cache.” It does not say anything about purging the TLS/SSL Cache which is my concern here.

I have read that invalidating a TLS/SSL Session and purging the TLS/SSL Cache are two separate things.

Arnaud

From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of B.R.
Sent: lundi 11 avril 2016 22:15
To: nginx ML <nginx at nginx.org>
Subject: Re: TLS/SSL Cache Automatic Purge

Hello,

@Maxim

Just to be perfectly clear: does that mean that session tickets are supported for any version of nginx (including <v1.5.9), provided OpenSSL 0.9.8f is available?

So the directive would be kind of 'intercepting' TLS commands, a man in the middle of client and OpenSSL?

@Arnaud

I guess the docs <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout>  have all your answers.

---
B. R.

On Mon, Apr 11, 2016 at 3:31 PM, Maxim Dounin <mdounin at mdounin.ru <mailto:mdounin at mdounin.ru> > wrote:

Hello!

On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote:

[...]

> On a side-note, by default nginx does not store session parameters as it
> prefers tickets
> <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets>,
> supported since v1.5.9, over sessions ID.

Session tickets supported as long as OpenSSL version used supports
them, that is, with OpenSSL 0.9.8f or later.

In nginx 1.5.9 the "ssl_session_tickets" directive was added,
which makes it possible to disable session tickets when needed.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx at nginx.org <mailto:nginx at nginx.org> 
http://mailman.nginx.org/mailman/listinfo/nginx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160412/3a4c08b8/attachment.html>