RFC5077 stateless tls session tickets
|Reported by:||www.google.com/accounts/o8/id?id=AItOawlBWBXrq65i6-490NG_M0c03GVhlC9lno8||Owned by:||somebody|
|Keywords:||ssl tls tickets session||Cc:|
|nginx -V:||not applicable|
As nginx's design wants to use constant memory allocating a large block of shared memory for session tickets isn't in keeping with that. In RFC5077 it describes how a web server needs to only maintain a small number of aes encryption keys (for allowing tls sessions always available as aes keys expire ) that are shared between all ssl session. The clients will maintain an initialisation vector.
OpenSSL has a callback SSL_CTX_set_tlsext_ticket_key_cb that came out in release 0.9.8h that assists with this function. Can't find its documentation? I wrote some for this: http://rt.openssl.org/Ticket/Display.html?id=2697
If client certificates are used then an amount of memory will need to map a client state to the client certificate (which won't be sent when ssl session tickets are used).