SSL session tickets are not good enough b/c they don't support modern cipher modes (like GCM) and they don't work with PFS.
Is it generally possible to implement session lookup in non-blocking way in this case? If yes - is there any good example of OpenSSL's non-blocking callbacks? P.S. As an alternative (and I don't like this idea) - we can distribute sessions to nginx cache via custom-written module, something like it's done in stud. On Sat, Sep 14, 2013 at 11:06 PM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Sat, Sep 14, 2013 at 02:49:49PM +0400, kyprizel wrote: > > > Hi, > > I'm thinking on design of patch for adding distributed SSL session cache > > and have a question - > > is it possible and ok to create keepalive upstream to some storage > > (memcached/redis/etc), then use it from > > ngx_ssl_new_session/ngx_ssl_get_cached_session ? > > As far as I remember, OpenSSL doesn't provide a non-blocking > interface to session lookup (I've just did a quick look though > code, and it seems I remeber it right). This basically ruins the > the idea unless you are brave enough to implement needed > interfaces in OpenSSL. > > I would rather focus on a support for SSL session tickets shared > between multiple servers. > > -- > Maxim Dounin > http://nginx.org/en/donation.html > > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
