Thanks Susan! On Wed, Oct 10, 2018 at 7:50 AM Susan Hinrichs <[email protected]> wrote:
> Digging through the ATS and the openssl code, the > proxy.confg.ssl.session_cache.timeout always has effect regardless of > whether we are using the openssl cache (proxy.config.ssl.session_cache == > 1) or the Traffic Server cache (proxy.config.ssl.session_cache == 2). In > either case SSL_CTX_set_timeout is called. Or if it isn't called, openssl > sets the timeout for the CTX to 300 seconds. All sessions are created with > that timeout value. Whenever a session is possibly going to be reused (due > to a ticket or a session object fetched from cache), the timeout value is > checked. If the timeout value has passed, the session object is rejected > (and removed from cache via the appropriate api). > > So the phrase "Note: This option has no affect when using the > Traffic Server session cache (option 2 in proxy.config.ssl.session_cache)" > is incorrect and should be removed from our docs. > > On Tue, Oct 9, 2018 at 9:09 PM Dk Jack <[email protected]> wrote: > > > Hi, > > I am trying to understand the ssl cache timeout in ATS. According to the > > documentation for proxy.config.ssl.session_cache, a default value of 2 is > > chosen if its not configured. For > proxy.config.ssl.session_cache.timeout, a > > default value of 0 is chosen, if its not configured which means ssl > > cache_timeout is 300s. However, the note for session_cache_timeout says, > if > > the session_cache option is set to 2, the cache.timeout configuration is > > irrelevant. If its irrelevant, what is the default cache timeout i.e. is > it > > still 300s or something else? I don't have either of these options > > configured. Thanks. > > > > Dk. > > > > proxy.config.ssl.session_cache > > < > > > https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache > > > > > Scope: CONFIG > > Type: INT > > Default: 2 > > > > Enables the SSL session cache: > > ValueDescription > > 0 Disables the session cache entirely. > > 1 Enables the session cache using OpenSSL’s implementation. > > 2 Default. Enables the session cache using Traffic Server’s > implementation. > > This implentation should perform much better than the OpenSSL > > implementation. > > proxy.config.ssl.session_cache.timeout > > < > > > https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache-timeout > > > > > Scope: CONFIG > > Type: INT > > Default: 0 > > > > This configuration specifies the lifetime of SSL session cache entries in > > seconds. If it is 0, then the SSL library will use a default value, > > typically 300 seconds. Note: This option has no affect when using the > > Traffic Server session cache (option 2 in proxy.config.ssl.session_cache) > > >
