TLS session resumption (identifier)

Maxim Dounin mdounin at mdounin.ru
Thu Mar 3 13:29:34 UTC 2016


Hello!

On Thu, Mar 03, 2016 at 12:42:55PM +0100, B.R. wrote:

> Based on the default value of ssl_session_cache
> <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache>,
> nginx does not store any session parameter, but allows client with the
> right Master Key to reuse their ID (and the parameters they got).
> 
> Since nginx, does not cache anything and is thus unable to revalidate
> anything but the Master Key, isn't it a violation of the RFC not to
> validate all the parameters?

You are misunderstanding what "ssl_session_cache none" does.  It 
doesn't allow anything to be reused, just says so to clients.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list