RE: TLS/SSL Cache Automatic Purge

2016-04-12 Thread Lukas Tribus 
Hi,


> Just to be perfectly clear: does that mean that session tickets are 
> supported for any version of nginx (including  OpenSSL 0.9.8f is available?

Yes.



> So the directive would be kind of 'intercepting' TLS commands, a man in 
> the middle of client and OpenSSL?

No, the feature [1] sets SSL_OP_NO_TICKET [2], which instructs OpenSSL
to NOT use TLS tickets. By default, OpenSSL uses tickets.



> The only information for ssl_session_timout is “Specifies a time during
> which a client may reuse the session parameters stored in a cache.”
> It does not say anything about purging the TLS/SSL Cache which is my
> concern here.

I don't think the sessions are purged, its probably an LRU.



Lukas


[1] http://hg.nginx.org/nginx/rev/d049b0ea00a3
[2] https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

  
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

RE: TLS/SSL Cache Automatic Purge

2016-04-12 Thread Arnaud Van der Vorst 
Hi,

 

@B.R.

Not really…

The only information for ssl_session_timout is “Specifies a time during which a 
client may reuse the session parameters stored in a cache.” It does not say 
anything about purging the TLS/SSL Cache which is my concern here.

I have read that invalidating a TLS/SSL Session and purging the TLS/SSL Cache 
are two separate things.

 

Arnaud

 

From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of B.R.
Sent: lundi 11 avril 2016 22:15
To: nginx ML <nginx@nginx.org>
Subject: Re: TLS/SSL Cache Automatic Purge

 

Hello,

@Maxim

Just to be perfectly clear: does that mean that session tickets are supported 
for any version of nginx (including <v1.5.9), provided OpenSSL 0.9.8f is 
available?

So the directive would be kind of 'intercepting' TLS commands, a man in the 
middle of client and OpenSSL?

@Arnaud

I guess the docs 
<http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout>  
have all your answers.


---
B. R.

 

On Mon, Apr 11, 2016 at 3:31 PM, Maxim Dounin <mdou...@mdounin.ru 
<mailto:mdou...@mdounin.ru> > wrote:

Hello!

On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote:

[...]

> On a side-note, by default nginx does not store session parameters as it
> prefers tickets
> <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets>,
> supported since v1.5.9, over sessions ID.

Session tickets supported as long as OpenSSL version used supports
them, that is, with OpenSSL 0.9.8f or later.

In nginx 1.5.9 the "ssl_session_tickets" directive was added,
which makes it possible to disable session tickets when needed.

--
Maxim Dounin
http://nginx.org/


___
nginx mailing list
nginx@nginx.org <mailto:nginx@nginx.org> 
http://mailman.nginx.org/mailman/listinfo/nginx

 

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: TLS/SSL Cache Automatic Purge

2016-04-11 Thread B.R. 
Hello,

@Maxim
Just to be perfectly clear: does that mean that session tickets are
supported for any version of nginx (including 
have all your answers.
---
*B. R.*

On Mon, Apr 11, 2016 at 3:31 PM, Maxim Dounin  wrote:

> Hello!
>
> On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote:
>
> [...]
>
> > On a side-note, by default nginx does not store session parameters as it
> > prefers tickets
> > <
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
> >,
> > supported since v1.5.9, over sessions ID.
>
> Session tickets supported as long as OpenSSL version used supports
> them, that is, with OpenSSL 0.9.8f or later.
>
> In nginx 1.5.9 the "ssl_session_tickets" directive was added,
> which makes it possible to disable session tickets when needed.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

TLS/SSL Cache Automatic Purge

2016-04-11 Thread Arnaud Van der Vorst 
Hi,

 

My name is Arnaud and I am new to the list.

 

I would like to know if NGINX is using any automatic purge mechanism for its
TLS/SSL Cache configured using the following directives:

ssl_session_timeout 10m;

ssl_session_cache shared:SSL:10m;

 

I understand that a daily purge of TLS/SSL Cache is highly recommended to
avoid breaking Perfect Forward Secrecy of the TLS Protocol.

If it does NOT use automatic purge, how can I purge the Shared cache used by
NGINX then?

Are there any command line tools for that purpose?

 

Thank you very much in advance for your answer and have a nice day!

 

Kind regards,

 

Arnaud

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx