TLS session resumption (identifier)
B.R.
reallfqq-nginx at yahoo.fr
Fri Mar 4 09:08:18 UTC 2016
Thanks Igor, that makes the whole thing crystal clear!
What saves us there is the fact that, if I understand it well, the RFC 5077
<https://tools.ietf.org/html/rfc5077#section-3.4> states the server
decides by itself on the use of tickets and those have precedence over
identifiers.
But still, advertising something without actually supporting it must lead
to cases where sessions reuse is believed to take place without ever
happening, harming performance... that was probably happening in versions <
1.5.9.
Giving the possibility to accomodate with Outlook (and Microsoft products
in general) numerous quirks is fine, but making it the default is
debatable... Maybe the docs should be more explicit about the reason of the
existence of 'none'? Code comments are clearer than the docs on this matter.
---
*B. R.*
On Thu, Mar 3, 2016 at 4:48 PM, Igor Sysoev <igor at sysoev.ru> wrote:
>
> On 03 Mar 2016, at 18:42, B.R. <reallfqq-nginx at yahoo.fr> wrote:
>
> Thanks, Maxim.
>
> You were right: I did my tests improperly...
>
> What is the use of the 'none' value then? Should not there be only the
> 'off' one?
> There must be some benefit to it, but I fail to catch it.
>
>
> Initially it has been implemented for mail proxy module, but it seems that
> “none”
> is more graceful than “off” in general:
>
> /*
> * If the server explicitly says that it does not support
> * session reuse (see SSL_SESS_CACHE_OFF above), then
> * Outlook Express fails to upload a sent email to
> * the Sent Items folder on the IMAP server via a separate IMAP
> * connection in the background. Therefore we have a special
> * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE)
> * where the server pretends that it supports session reuse,
> * but it does not actually store any session.
> */
>
> --
> Igor Sysoev
> http://nginx.com
>
> On Thu, Mar 3, 2016 at 2:29 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
>> Hello!
>>
>> On Thu, Mar 03, 2016 at 12:42:55PM +0100, B.R. wrote:
>>
>> > Based on the default value of ssl_session_cache
>> > <
>> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
>> >,
>> > nginx does not store any session parameter, but allows client with the
>> > right Master Key to reuse their ID (and the parameters they got).
>> >
>> > Since nginx, does not cache anything and is thus unable to revalidate
>> > anything but the Master Key, isn't it a violation of the RFC not to
>> > validate all the parameters?
>>
>> You are misunderstanding what "ssl_session_cache none" does. It
>> doesn't allow anything to be reused, just says so to clients.
>>
>> --
>> Maxim Dounin
>> http://nginx.org/
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160304/38a676a1/attachment.html>
More information about the nginx
mailing list