Piotr, are we talking about "session tickets" ( http://tools.ietf.org/html/rfc4507) ?
On Mon, Sep 16, 2013 at 12:30 PM, Piotr Sikora <[email protected]> wrote: > Hello, > > > SSL session tickets are not good enough b/c they don't support modern > cipher modes (like GCM) and they don't work with PFS. > > Neither is true. Below is the output of nginx's debug log for two SSL > handshakes. First connection creates new session (and does full > handshake), while the second one successfully reuses session (and is > doing only abbreviated handshake) using Session Ticket from the first > connection. As you can see, there was no problem with negotiating TLS > 1.2 or PFS cipher suite. > > [debug] 20655#0: *1 SSL_accept: before/accept initialization > [debug] 20655#0: *1 SSL server name: "localhost" > [debug] 20655#0: *1 SSL_accept: SSLv3 read client hello A > [debug] 20655#0: *1 SSL_accept: SSLv3 write server hello A > [debug] 20655#0: *1 SSL_accept: SSLv3 write certificate A > [debug] 20655#0: *1 SSL_accept: SSLv3 write key exchange A > [debug] 20655#0: *1 SSL_accept: SSLv3 write server done A > [debug] 20655#0: *1 SSL_accept: SSLv3 flush data > [debug] 20655#0: *1 SSL_do_handshake: -1 > [debug] 20655#0: *1 SSL_get_error: 2 > [debug] 20655#0: *1 SSL handshake handler: 0 > [debug] 20655#0: *1 SSL_accept: SSLv3 read client key exchange A > [debug] 20655#0: *1 SSL_accept: SSLv3 read finished A > [debug] 20655#0: *1 SSL_accept: SSLv3 write session ticket A > [debug] 20655#0: *1 SSL_accept: SSLv3 write change cipher spec A > [debug] 20655#0: *1 SSL_accept: SSLv3 write finished A > [debug] 20655#0: *1 SSL_accept: SSLv3 flush data > [debug] 20655#0: *1 SSL_do_handshake: 1 > [debug] 20655#0: *1 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256 > TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD" > > [debug] 20655#0: *2 SSL_accept: before/accept initialization > [debug] 20655#0: *2 SSL server name: "localhost" > [debug] 20655#0: *2 SSL_accept: SSLv3 read client hello A > [debug] 20655#0: *2 SSL_accept: SSLv3 write server hello A > [debug] 20655#0: *2 SSL_accept: SSLv3 write change cipher spec A > [debug] 20655#0: *2 SSL_accept: SSLv3 write finished A > [debug] 20655#0: *2 SSL_accept: SSLv3 flush data > [debug] 20655#0: *2 SSL_do_handshake: -1 > [debug] 20655#0: *2 SSL_get_error: 2 > [debug] 20655#0: *2 SSL handshake handler: 0 > [debug] 20655#0: *2 SSL_accept: SSLv3 read finished A > [debug] 20655#0: *2 SSL_do_handshake: 1 > [debug] 20655#0: *2 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES128-GCM-SHA256 > TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD" > [debug] 20655#0: *2 SSL reused session > > Best regards, > Piotr Sikora > > _______________________________________________ > nginx-devel mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
