RE: TLS/SSL Cache Automatic Purge
Hi, > Just to be perfectly clear: does that mean that session tickets are > supported for any version of nginx (includingOpenSSL 0.9.8f is available? Yes. > So the directive would be kind of 'intercepting' TLS commands, a man in > the middle of client and OpenSSL? No, the feature [1] sets SSL_OP_NO_TICKET [2], which instructs OpenSSL to NOT use TLS tickets. By default, OpenSSL uses tickets. > The only information for ssl_session_timout is “Specifies a time during > which a client may reuse the session parameters stored in a cache.” > It does not say anything about purging the TLS/SSL Cache which is my > concern here. I don't think the sessions are purged, its probably an LRU. Lukas [1] http://hg.nginx.org/nginx/rev/d049b0ea00a3 [2] https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
RE: TLS/SSL Cache Automatic Purge
Hi, @B.R. Not really… The only information for ssl_session_timout is “Specifies a time during which a client may reuse the session parameters stored in a cache.” It does not say anything about purging the TLS/SSL Cache which is my concern here. I have read that invalidating a TLS/SSL Session and purging the TLS/SSL Cache are two separate things. Arnaud From: nginx [mailto:nginx-boun...@nginx.org] On Behalf Of B.R. Sent: lundi 11 avril 2016 22:15 To: nginx ML <nginx@nginx.org> Subject: Re: TLS/SSL Cache Automatic Purge Hello, @Maxim Just to be perfectly clear: does that mean that session tickets are supported for any version of nginx (including <v1.5.9), provided OpenSSL 0.9.8f is available? So the directive would be kind of 'intercepting' TLS commands, a man in the middle of client and OpenSSL? @Arnaud I guess the docs <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout> have all your answers. --- B. R. On Mon, Apr 11, 2016 at 3:31 PM, Maxim Dounin <mdou...@mdounin.ru <mailto:mdou...@mdounin.ru> > wrote: Hello! On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote: [...] > On a side-note, by default nginx does not store session parameters as it > prefers tickets > <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets>, > supported since v1.5.9, over sessions ID. Session tickets supported as long as OpenSSL version used supports them, that is, with OpenSSL 0.9.8f or later. In nginx 1.5.9 the "ssl_session_tickets" directive was added, which makes it possible to disable session tickets when needed. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org <mailto:nginx@nginx.org> http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: TLS/SSL Cache Automatic Purge
Hello, @Maxim Just to be perfectly clear: does that mean that session tickets are supported for any version of nginx (includinghave all your answers. --- *B. R.* On Mon, Apr 11, 2016 at 3:31 PM, Maxim Dounin wrote: > Hello! > > On Mon, Apr 11, 2016 at 01:23:02PM +0200, B.R. wrote: > > [...] > > > On a side-note, by default nginx does not store session parameters as it > > prefers tickets > > < > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets > >, > > supported since v1.5.9, over sessions ID. > > Session tickets supported as long as OpenSSL version used supports > them, that is, with OpenSSL 0.9.8f or later. > > In nginx 1.5.9 the "ssl_session_tickets" directive was added, > which makes it possible to disable session tickets when needed. > > -- > Maxim Dounin > http://nginx.org/ > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
TLS/SSL Cache Automatic Purge
Hi, My name is Arnaud and I am new to the list. I would like to know if NGINX is using any automatic purge mechanism for its TLS/SSL Cache configured using the following directives: ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; I understand that a daily purge of TLS/SSL Cache is highly recommended to avoid breaking Perfect Forward Secrecy of the TLS Protocol. If it does NOT use automatic purge, how can I purge the Shared cache used by NGINX then? Are there any command line tools for that purpose? Thank you very much in advance for your answer and have a nice day! Kind regards, Arnaud ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx