Hi B.R.,
Thank you very much for your answer and sorry for the US media political like message ;-) So, if I understand correctly, using ssl_session_timeout makes sure that after the specified amount of time, the TLS/SSL Sessions will be removed/purged from the TLS/SSL Shared Cache? Is that correct? Kind regards, Arnaud From: nginx [mailto:[email protected]] On Behalf Of B.R. Sent: lundi 11 avril 2016 13:23 To: nginx ML <[email protected]> Subject: Re: TLS/SSL Cache Automatic Purge Sounds like US media political messages: 'I am Arnaud, and I approve this message'. That said, welcome! You will have to write your own module if you want to manually delete TLS sessions parameters instead of letting them expire after 10 minutes. You could also emulate this daily purge by keeping stock nginx but setting : ssl_session_timeout 1d; albeit I for one do not recommend such settings since sessions parameters should probably not be remembered that long for several reasons... On a side-note, by default nginx does not store session parameters as it prefers tickets <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets> , supported since v1.5.9, over sessions ID. The former is a more recent mechanism than the latter, and has the notable benefit of storing session parameters client-side, which scales, avoids cache management trouble as yours and some other ones. There are some docs <http://chimera.labs.oreilly.com/books/1230000000545/ch04.html#TLS_RESUME> about that in the Web tubes. Why not sticking with those defaults (or even set ssl_session_cache to off to be absolutely clear)? --- B. R. On Mon, Apr 11, 2016 at 10:41 AM, Arnaud Van der Vorst <[email protected] <mailto:[email protected]> > wrote: Hi, My name is Arnaud and I am new to the list. I would like to know if NGINX is using any automatic purge mechanism for its TLS/SSL Cache configured using the following directives: ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; I understand that a daily purge of TLS/SSL Cache is highly recommended to avoid breaking Perfect Forward Secrecy of the TLS Protocol. If it does NOT use automatic purge, how can I purge the Shared cache used by NGINX then? Are there any command line tools for that purpose? Thank you very much in advance for your answer and have a nice day! Kind regards, Arnaud _______________________________________________ nginx mailing list [email protected] <mailto:[email protected]> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
