Hello, I have a question on TLS session resumption with client-side session tickets and its implementation in nginx.
RFC 5077, section 3.3, paragraph 2 reads: If the server successfully verifies the client's ticket, then it MAY renew the ticket by including a NewSessionTicket handshake message after the ServerHello in the abbreviated handshake. The client should start using the new ticket as soon as possible ... Which seems very reasonable to me. That way the session could continue without the need of a costly full handshake. It could continue virtually forever, as long as the client resumes the session within the time window configured by ssl_session_timeout. However, it appears to me that nginx will not issue a new session ticket proactively before ssl_session_timeout elapses. So session resumption works fine within ssl_session_timeout and nginx initiates a full handshake once the timeout has expired. Searching the interwebs I found an old trac issue ( https://trac.nginx.org/nginx/ticket/120) including a patch, where it was reported that clients do not seem to support this kind of behavior. And then there is ticket 1892 (https://trac.nginx.org/nginx/ticket/1892) which is about session ticket renewal on TLS 1.3 (in my case it is TLS 1.2) but says that the setting ssl_session_ticket_key plays a role for this topic. So is my expectation and my understanding of RFC 5077 correct? And what is the current implementation in nginx? Best regards, Robert
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
