Welcome! Log In Create A New Profile

Re: Distributed SSL session cache

Forum List Message List New Topic Print View

Piotr Sikora

September 16, 2013 04:32AM

Hello,

> SSL session tickets are not good enough b/c they don't support modern cipher modes (like GCM) and they don't work with PFS.

Neither is true. Below is the output of nginx's debug log for two SSL
handshakes. First connection creates new session (and does full
handshake), while the second one successfully reuses session (and is
doing only abbreviated handshake) using Session Ticket from the first
connection. As you can see, there was no problem with negotiating TLS
1.2 or PFS cipher suite.

[debug] 20655#0: *1 SSL_accept: before/accept initialization
[debug] 20655#0: *1 SSL server name: "localhost"
[debug] 20655#0: *1 SSL_accept: SSLv3 read client hello A
[debug] 20655#0: *1 SSL_accept: SSLv3 write server hello A
[debug] 20655#0: *1 SSL_accept: SSLv3 write certificate A
[debug] 20655#0: *1 SSL_accept: SSLv3 write key exchange A
[debug] 20655#0: *1 SSL_accept: SSLv3 write server done A
[debug] 20655#0: *1 SSL_accept: SSLv3 flush data
[debug] 20655#0: *1 SSL_do_handshake: -1
[debug] 20655#0: *1 SSL_get_error: 2
[debug] 20655#0: *1 SSL handshake handler: 0
[debug] 20655#0: *1 SSL_accept: SSLv3 read client key exchange A
[debug] 20655#0: *1 SSL_accept: SSLv3 read finished A
[debug] 20655#0: *1 SSL_accept: SSLv3 write session ticket A
[debug] 20655#0: *1 SSL_accept: SSLv3 write change cipher spec A
[debug] 20655#0: *1 SSL_accept: SSLv3 write finished A
[debug] 20655#0: *1 SSL_accept: SSLv3 flush data
[debug] 20655#0: *1 SSL_do_handshake: 1
[debug] 20655#0: *1 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"

[debug] 20655#0: *2 SSL_accept: before/accept initialization
[debug] 20655#0: *2 SSL server name: "localhost"
[debug] 20655#0: *2 SSL_accept: SSLv3 read client hello A
[debug] 20655#0: *2 SSL_accept: SSLv3 write server hello A
[debug] 20655#0: *2 SSL_accept: SSLv3 write change cipher spec A
[debug] 20655#0: *2 SSL_accept: SSLv3 write finished A
[debug] 20655#0: *2 SSL_accept: SSLv3 flush data
[debug] 20655#0: *2 SSL_do_handshake: -1
[debug] 20655#0: *2 SSL_get_error: 2
[debug] 20655#0: *2 SSL handshake handler: 0
[debug] 20655#0: *2 SSL_accept: SSLv3 read finished A
[debug] 20655#0: *2 SSL_do_handshake: 1
[debug] 20655#0: *2 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256
TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"
[debug] 20655#0: *2 SSL reused session

Best regards,
Piotr Sikora

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
Distributed SSL session cache	kyprizel	2227	September 14, 2013 06:54AM
Re: Distributed SSL session cache	kyprizel	1315	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Piotr Sikora	1167	September 16, 2013 04:32AM
Re: Distributed SSL session cache	kyprizel	951	September 16, 2013 05:04AM
Re: Distributed SSL session cache	Piotr Sikora	890	September 16, 2013 05:14AM
Re: Distributed SSL session cache	Maxim Dounin	903	September 16, 2013 07:56AM
Re: Distributed SSL session cache	Maxim Dounin	804	September 16, 2013 03:16AM
Re: Distributed SSL session cache	nginxorg	1223	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Maxim Dounin	804	September 16, 2013 03:16AM
Re: Distributed SSL session cache	Daniel Black	812	September 16, 2013 09:00AM
Re: Distributed SSL session cache	Daniel Black	767	September 16, 2013 09:22AM
Re: Distributed SSL session cache	Maxim Dounin	1216	September 16, 2013 09:38AM
Re: Distributed SSL session cache	kyprizel	883	September 27, 2013 11:54PM
Re: Distributed SSL session cache	Piotr Sikora	856	September 28, 2013 06:06AM
Re: Distributed SSL session cache	kyprizel	812	September 28, 2013 01:54PM
Re: Distributed SSL session cache	Piotr Sikora	828	September 28, 2013 02:16PM
Re: Distributed SSL session cache	kyprizel	820	September 28, 2013 02:38PM
Re: Distributed SSL session cache	Maxim Dounin	778	September 30, 2013 10:52AM
Re: Distributed SSL session cache	kyprizel	840	September 30, 2013 11:16AM
Re: Distributed SSL session cache	Maxim Dounin	808	September 30, 2013 11:32AM
Re: Distributed SSL session cache	kyprizel	861	September 30, 2013 12:16PM
Re: Distributed SSL session cache	Maxim Dounin	794	September 30, 2013 02:02PM
Re: Distributed SSL session cache	kyprizel	877	October 01, 2013 09:38AM
Re: Distributed SSL session cache	Maxim Dounin	910	October 02, 2013 06:40AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 155

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018