On 22 Nov 2010 03h02 WET, mdounin@mdounin.ru wrote:

Hello Maxim,

Thank you for your reply.


> Session establishmen/resumption happens before SNI handling.
> Therefore configuring session cache within SNI-only server{} won't
> work, you have to configure one in default server for the socket
> in question.

So the session resumption is done using a mapping that related IPs
with session IDs. Completely oblivious to anything related with
server_name.

> This is how it's done in OpenSSL, and it seems to be what actually
> required by RFC4366 (http://tools.ietf.org/html/rfc4366#section-3):
>
> - If, on the other hand, the older session is resumed, then the
> server MUST ignore the extensions and send a server hello
> containing none of the extension types. In this case, the
> functionality of these extensions negotiated during the original
> session initiation is applied to the resumed session.

I tried this:

listen [::]:443 ssl default_server; # ipv6

while leaving the '_' server_name for the HTTP default server. But
gnutls-bin gives the same results. No session resumption support. It
requires a regular default_server, i.e.,

listen [::]:80 default_server; # ipv6

And the session cache configured in the correct server. This means
that I must ditch the "illegal" Host header server block so it seems
in order to get SSL session resumption to work :(

--- appa


_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx