Welcome! Log In Create A New Profile

Advanced

Session ticket renewal regarding RFC 5077 TLS session resumption

Robert Naundorf
October 29, 2020 05:24PM
Hello,

I have a question on TLS session resumption with client-side session
tickets and its implementation in nginx.

RFC 5077, section 3.3, paragraph 2 reads:
If the server successfully verifies the client's ticket, then it MAY renew
the ticket by including a NewSessionTicket handshake message after the
ServerHello in the abbreviated handshake. The client should start using the
new ticket as soon as possible ...

Which seems very reasonable to me. That way the session could continue
without the need of a costly full handshake. It could continue virtually
forever, as long as the client resumes the session within the time window
configured by ssl_session_timeout.


However, it appears to me that nginx will not issue a new session ticket
proactively before ssl_session_timeout elapses.
So session resumption works fine within ssl_session_timeout and nginx
initiates a full handshake once the timeout has expired.

Searching the interwebs I found an old trac issue (
https://trac.nginx.org/nginx/ticket/120) including a patch, where it was
reported that clients do not seem to support this kind of behavior.
And then there is ticket 1892 (https://trac.nginx.org/nginx/ticket/1892)
which is about session ticket renewal on TLS 1.3 (in my case it is TLS 1.2)
but says that the setting ssl_session_ticket_key plays a role for this
topic.

So is my expectation and my understanding of RFC 5077 correct? And what is
the current implementation in nginx?


Best regards,
Robert
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Session ticket renewal regarding RFC 5077 TLS session resumption

Robert Naundorf October 29, 2020 05:24PM

Re: Session ticket renewal regarding RFC 5077 TLS session resumption

Maxim Dounin October 30, 2020 05:56PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 66
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready