Welcome! Log In Create A New Profile

Advanced

Re: SSL session resumption. SSL Labs test.

Maxim Dounin
November 22, 2010 10:30AM
Hello!

On Mon, Nov 22, 2010 at 03:39:06AM +0000, António P. P. Almeida wrote:

> On 22 Nov 2010 03h02 WET, mdounin@mdounin.ru wrote:
>
> Hello Maxim,
>
> Thank you for your reply.
>
>
> > Session establishmen/resumption happens before SNI handling.
> > Therefore configuring session cache within SNI-only server{} won't
> > work, you have to configure one in default server for the socket
> > in question.
>
> So the session resumption is done using a mapping that related IPs
> with session IDs. Completely oblivious to anything related with
> server_name.
>
> > This is how it's done in OpenSSL, and it seems to be what actually
> > required by RFC4366 (http://tools.ietf.org/html/rfc4366#section-3):
> >
> > - If, on the other hand, the older session is resumed, then the
> > server MUST ignore the extensions and send a server hello
> > containing none of the extension types. In this case, the
> > functionality of these extensions negotiated during the original
> > session initiation is applied to the resumed session.
>
> I tried this:
>
> listen [::]:443 ssl default_server; # ipv6
>
> while leaving the '_' server_name for the HTTP default server. But
> gnutls-bin gives the same results. No session resumption support. It
> requires a regular default_server, i.e.,

I've played a bit with this, and it seems the only working
configuration is having identical ssl_session_cache in all
SNI server{}'s.

Anything else will not work due to the fact that OpenSSL uses
initial context (i.e. default server's one) for session caching,
but current context (i.e. server name matched server's) e.g. to
decide whether advertise session id to client or not.

I.e. the following configuration will not cache sessions to
"test.example.com":

ssl_session_cache off;

server {
listen 443 ssl default;
ssl_session_cache shared:SSL:10m;
...
}

server {
listen 443;
server_name test.example.com;
...
}

Additionally, when shared cache is used, nginx will be confused by
new session/remove session callbacks called with ssl connection
with context which is not expected to have any session callbacks.
E.g. this configuration will generate SIGSEGV on request to
"test.example.com":

server {
listen 443 ssl default;
ssl_session_cache shared:SSL:10m;
...
}

server {
listen 443;
server_name test.example.com;
ssl_session_cache builtin;
...
}

Simpliest (and recommended) workaround for both problems is to use
ssl_session_cache defined at http{} level. I.e.

ssl_session_cache shared:SSL:10m;

server {
...
}

...

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

SSL session resumption. SSL Labs test.

António P. P. Almeida November 21, 2010 05:56PM

Re: SSL session resumption. SSL Labs test.

Luit van Drongelen November 21, 2010 05:58PM

Re: SSL session resumption. SSL Labs test.

António P. P. Almeida November 21, 2010 08:00PM

Re: SSL session resumption. SSL Labs test.

António P. P. Almeida November 21, 2010 08:18PM

Re: SSL session resumption. SSL Labs test.

António P. P. Almeida November 21, 2010 08:36PM

Re: SSL session resumption. SSL Labs test.

Maxim Dounin November 21, 2010 10:08PM

Re: SSL session resumption. SSL Labs test.

António P. P. Almeida November 21, 2010 10:48PM

Re: SSL session resumption. SSL Labs test.

Maxim Dounin November 22, 2010 10:30AM

Re: SSL session resumption. SSL Labs test.

António P. P. Almeida November 22, 2010 11:46AM

Re: SSL session resumption. SSL Labs test.

António P. P. Almeida November 22, 2010 10:06AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 113
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready