Welcome! Log In Create A New Profile

Advanced

Re: Distributed SSL session cache

Previous Message Next Message
Forum List Message List New Topic Print View
kyprizel
September 16, 2013 05:04AM
Piotr, are we talking about "session tickets" (
http://tools.ietf.org/html/rfc4507) ?



On Mon, Sep 16, 2013 at 12:30 PM, Piotr Sikora <piotr@cloudflare.com> wrote:

> Hello,
>
> > SSL session tickets are not good enough b/c they don't support modern
> cipher modes (like GCM) and they don't work with PFS.
>
> Neither is true. Below is the output of nginx's debug log for two SSL
> handshakes. First connection creates new session (and does full
> handshake), while the second one successfully reuses session (and is
> doing only abbreviated handshake) using Session Ticket from the first
> connection. As you can see, there was no problem with negotiating TLS
> 1.2 or PFS cipher suite.
>
> [debug] 20655#0: *1 SSL_accept: before/accept initialization
> [debug] 20655#0: *1 SSL server name: "localhost"
> [debug] 20655#0: *1 SSL_accept: SSLv3 read client hello A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write server hello A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write certificate A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write key exchange A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write server done A
> [debug] 20655#0: *1 SSL_accept: SSLv3 flush data
> [debug] 20655#0: *1 SSL_do_handshake: -1
> [debug] 20655#0: *1 SSL_get_error: 2
> [debug] 20655#0: *1 SSL handshake handler: 0
> [debug] 20655#0: *1 SSL_accept: SSLv3 read client key exchange A
> [debug] 20655#0: *1 SSL_accept: SSLv3 read finished A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write session ticket A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write change cipher spec A
> [debug] 20655#0: *1 SSL_accept: SSLv3 write finished A
> [debug] 20655#0: *1 SSL_accept: SSLv3 flush data
> [debug] 20655#0: *1 SSL_do_handshake: 1
> [debug] 20655#0: *1 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256
> TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"
>
> [debug] 20655#0: *2 SSL_accept: before/accept initialization
> [debug] 20655#0: *2 SSL server name: "localhost"
> [debug] 20655#0: *2 SSL_accept: SSLv3 read client hello A
> [debug] 20655#0: *2 SSL_accept: SSLv3 write server hello A
> [debug] 20655#0: *2 SSL_accept: SSLv3 write change cipher spec A
> [debug] 20655#0: *2 SSL_accept: SSLv3 write finished A
> [debug] 20655#0: *2 SSL_accept: SSLv3 flush data
> [debug] 20655#0: *2 SSL_do_handshake: -1
> [debug] 20655#0: *2 SSL_get_error: 2
> [debug] 20655#0: *2 SSL handshake handler: 0
> [debug] 20655#0: *2 SSL_accept: SSLv3 read finished A
> [debug] 20655#0: *2 SSL_do_handshake: 1
> [debug] 20655#0: *2 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256
> TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD"
> [debug] 20655#0: *2 SSL reused session
>
> Best regards,
> Piotr Sikora
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

Distributed SSL session cache

kyprizel 2228 September 14, 2013 06:54AM

Re: Distributed SSL session cache

kyprizel 1315 September 16, 2013 03:16AM

Re: Distributed SSL session cache

Piotr Sikora 1168 September 16, 2013 04:32AM

Re: Distributed SSL session cache

kyprizel 951 September 16, 2013 05:04AM

Re: Distributed SSL session cache

Piotr Sikora 891 September 16, 2013 05:14AM

Re: Distributed SSL session cache

Maxim Dounin 903 September 16, 2013 07:56AM

Re: Distributed SSL session cache

Maxim Dounin 805 September 16, 2013 03:16AM

Re: Distributed SSL session cache

nginxorg 1223 September 16, 2013 03:16AM

Re: Distributed SSL session cache

Maxim Dounin 804 September 16, 2013 03:16AM

Re: Distributed SSL session cache

Daniel Black 813 September 16, 2013 09:00AM

Re: Distributed SSL session cache

Daniel Black 768 September 16, 2013 09:22AM

Re: Distributed SSL session cache

Maxim Dounin 1216 September 16, 2013 09:38AM

Re: Distributed SSL session cache

kyprizel 883 September 27, 2013 11:54PM

Re: Distributed SSL session cache

Piotr Sikora 857 September 28, 2013 06:06AM

Re: Distributed SSL session cache

kyprizel 812 September 28, 2013 01:54PM

Re: Distributed SSL session cache

Piotr Sikora 828 September 28, 2013 02:16PM

Re: Distributed SSL session cache

kyprizel 820 September 28, 2013 02:38PM

Re: Distributed SSL session cache

Maxim Dounin 778 September 30, 2013 10:52AM

Re: Distributed SSL session cache

kyprizel 841 September 30, 2013 11:16AM

Re: Distributed SSL session cache

Maxim Dounin 808 September 30, 2013 11:32AM

Re: Distributed SSL session cache

kyprizel 861 September 30, 2013 12:16PM

Re: Distributed SSL session cache

Maxim Dounin 794 September 30, 2013 02:02PM

Re: Distributed SSL session cache

kyprizel 878 October 01, 2013 09:38AM

Re: Distributed SSL session cache

Maxim Dounin 910 October 02, 2013 06:40AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 147
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready