Hello!

On Mon, Mar 03, 2014 at 05:11:22PM +0000, Reid, Mike wrote:

> I am experiencing the following in my error logs after a recent
> upgrade to NGiNX 1.5.10 (from 1.5.8), and also applying SSL /
> TLS updates as described on istlsfastyet.com
>
> [alert] 3319#0: *301399 could not add new SSL session to the
> session cache while SSL handshaking
>
> Any ideas on why these alerts would now be showing up? I am not
> sure how to address, or whether there should be cause for
> concern?
>
> NGiNX 1.5.10 w/ SPDY 3.1 # Previously 1.5.8, now including
> --with-http_spdy_module and using openssl-1.0.1f (previously
> openssl-1.0.1e without http_spdy_module)
> ssl_session_cache shared:SSL:10m; # No change
> ssl_buffer_size 1400; # New
> ssl_session_timeout 24h; # Previously 10m
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; # No change

You've changed SSL session timeout from 10 minutes to 24 hours,
and this basically means that sessions will use 144 times more
space in session cache. On the other hand, cache size wasn't
changed - so you've run out of space in the cache configured. If
there is no space in a cache nginx will try to drop one
non-expired session from the cache, but it may not be enough to
store a new session (as different sessions may occupy different
space), resulting in alerts you've quoted.

Note well that configuring ssl_buffer_size to 1400 isn't a good
idea unless you are doing so for your own performance testing.
See previous discussions for details.

Overral, this doesn't looks relevant to nginx-devel@. Please use
nginx@ for futher questions.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx