> On 23 Dec 2023, at 01:46, Maxim Dounin <mdou...@mdounin.ru> wrote: > > Hello! > > On Fri, Dec 22, 2023 at 06:28:34PM +0400, Sergey Kandaurov wrote: > >> # HG changeset patch >> # User Sergey Kandaurov <pluk...@nginx.com> >> # Date 1703255284 -14400 >> # Fri Dec 22 18:28:04 2023 +0400 >> # Node ID a463fb67e143c051fd373d1df94e5813a37d5cea >> # Parent 44266e0651c44f530c4aa66e68c1b9464a9acee7 >> SSL: raised limit for upstream session size. >> >> Unlike shared session cache used to store multiple client SSL sessions and >> which may be per a single SSL connection, sessions saved from upstream are >> per upstream server peer, so there is no such multiplier effect, but they >> may be of noticeably larger size due to session tickets being used. >> >> It was observed that session tickets sent from JVM backends may result in >> a decoded session size nearly the previous maximum session size limit of >> 4096 or slightly beyond. Raising the limit allows to save such sessions. > > Session tickets are not expected to be larger than sessions > itself, except by several bytes used for key identification and > encryption overhead. I see no reasons why the limit should be > different in different places. > > And 4096 for an SSL session looks a lot. The only justification I > can assume here is an SSL session with the client certificate (or > even certificate chain) being saved into the session. It might > worth looking into what actually happens here. >
Indeed. Both local and peer certificate chains are serialized and encrypted as part of constructing a session ticket. Per the original change to support tickets, this is hardcoded and may not be adjusted: https://hg.openjdk.org/jdk/jdk/rev/c2398053ee90#l4.352 https://hg.openjdk.org/jdk/jdk/rev/c2398053ee90#l10.261 -- Sergey Kandaurov _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
