Welcome! Log In Create A New Profile

Advanced

Re: SSL Session Caching - Memcached

Previous Message Next Message
Forum List Message List New Topic Print View
Nipunn Koorapati
April 02, 2014 05:38PM
Ah. I hadn't seen Daniel's response yet. Thanks for the reply.

I looked into session tickets, but they do not provide forward secrecy.
Unless keys are randomly generated and rotated with high frequency, there
will exist a single point of attack on the side. The cached session-id
mechanism provides this, which is why I'm looking into it.

Of course, I understand your point about synchronous blocking operations.
It looks like memcached provides asynchronous get/set methods, however it
doesn't look like there are hooks into OpenSSL to split up the
SSL_CTX_sess_set_*_cb methods. For the memcache_set call, we could switch
to being asynchronous fairly easily. For the memcache_get call, memcache
provides 2 separate methods. We could do some additional h4x and
setjmp/longjmp from the memcache call point to our event loop, but I assume
there's going to be some pushback to that idea.

In either case, we'd also want aggressive configurable timeouts for the
calls to memcached.

Is there some philosophical qualm with adding a dependency to memcache, or
is it just the concern of having a blocking call in the worker event loop.
I think we may be able to work around that.

Thanks
--Nipunn



On Wed, Apr 2, 2014 at 5:35 AM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Tue, Apr 01, 2014 at 06:06:10PM -0700, Nipunn Koorapati wrote:
>
> > I was able to graft the patch. It compiles and runs successfully. It
> > required a bit more work obviously as the code has changed since version
> > 0.8, but I think I covered it. Also had to make some modifications to the
> > mail-ssl module as it had dependencies. Is there some nginx tests /
> > testsuite module I should verify against / add tests to?
>
> There is a test suite as available at
> http://hg.nginx.org/nginx-tests.
>
> On the other hand, as already pointed out by Daniel, the patch in
> question isn't something to be seriously considered. It's just a
> dirty hack.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

SSL Session Caching - Memcached

Nipunn Koorapati 2956 March 31, 2014 07:28PM

Re: SSL Session Caching - Memcached

Daniel Black 922 April 01, 2014 02:58AM

Re: SSL Session Caching - Memcached

Nipunn Koorapati 672 April 01, 2014 09:08PM

Re: SSL Session Caching - Memcached

Maxim Dounin 689 April 02, 2014 08:36AM

Re: SSL Session Caching - Memcached

Nipunn Koorapati 662 April 02, 2014 05:38PM

Re: SSL Session Caching - Memcached

Maxim Dounin 966 April 03, 2014 09:48AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 124
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready