Digging through the ATS and the openssl code, the proxy.confg.ssl.session_cache.timeout always has effect regardless of whether we are using the openssl cache (proxy.config.ssl.session_cache == 1) or the Traffic Server cache (proxy.config.ssl.session_cache == 2). In either case SSL_CTX_set_timeout is called. Or if it isn't called, openssl sets the timeout for the CTX to 300 seconds. All sessions are created with that timeout value. Whenever a session is possibly going to be reused (due to a ticket or a session object fetched from cache), the timeout value is checked. If the timeout value has passed, the session object is rejected (and removed from cache via the appropriate api).
So the phrase "Note: This option has no affect when using the Traffic Server session cache (option 2 in proxy.config.ssl.session_cache)" is incorrect and should be removed from our docs. On Tue, Oct 9, 2018 at 9:09 PM Dk Jack <dnj0...@gmail.com> wrote: > Hi, > I am trying to understand the ssl cache timeout in ATS. According to the > documentation for proxy.config.ssl.session_cache, a default value of 2 is > chosen if its not configured. For proxy.config.ssl.session_cache.timeout, a > default value of 0 is chosen, if its not configured which means ssl > cache_timeout is 300s. However, the note for session_cache_timeout says, if > the session_cache option is set to 2, the cache.timeout configuration is > irrelevant. If its irrelevant, what is the default cache timeout i.e. is it > still 300s or something else? I don't have either of these options > configured. Thanks. > > Dk. > > proxy.config.ssl.session_cache > < > https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache > > > Scope: CONFIG > Type: INT > Default: 2 > > Enables the SSL session cache: > ValueDescription > 0 Disables the session cache entirely. > 1 Enables the session cache using OpenSSL’s implementation. > 2 Default. Enables the session cache using Traffic Server’s implementation. > This implentation should perform much better than the OpenSSL > implementation. > proxy.config.ssl.session_cache.timeout > < > https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache-timeout > > > Scope: CONFIG > Type: INT > Default: 0 > > This configuration specifies the lifetime of SSL session cache entries in > seconds. If it is 0, then the SSL library will use a default value, > typically 300 seconds. Note: This option has no affect when using the > Traffic Server session cache (option 2 in proxy.config.ssl.session_cache) >
