Discussion:
ssl session cache timeout
Dk Jack
2018-10-10 02:08:43 UTC
Permalink
Hi,
I am trying to understand the ssl cache timeout in ATS. According to the
documentation for proxy.config.ssl.session_cache, a default value of 2 is
chosen if its not configured. For proxy.config.ssl.session_cache.timeout, a
default value of 0 is chosen, if its not configured which means ssl
cache_timeout is 300s. However, the note for session_cache_timeout says, if
the session_cache option is set to 2, the cache.timeout configuration is
irrelevant. If its irrelevant, what is the default cache timeout i.e. is it
still 300s or something else? I don't have either of these options
configured. Thanks.

Dk.

proxy.config.ssl.session_cache
<https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache>
Scope: CONFIG
Type: INT
Default: 2

Enables the SSL session cache:
ValueDescription
0 Disables the session cache entirely.
1 Enables the session cache using OpenSSL’s implementation.
2 Default. Enables the session cache using Traffic Server’s implementation.
This implentation should perform much better than the OpenSSL
implementation.
proxy.config.ssl.session_cache.timeout
<https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache-timeout>
Scope: CONFIG
Type: INT
Default: 0

This configuration specifies the lifetime of SSL session cache entries in
seconds. If it is 0, then the SSL library will use a default value,
typically 300 seconds. Note: This option has no affect when using the
Traffic Server session cache (option 2 in proxy.config.ssl.session_cache)
Susan Hinrichs
2018-10-10 14:50:25 UTC
Permalink
Digging through the ATS and the openssl code, the
proxy.confg.ssl.session_cache.timeout always has effect regardless of
whether we are using the openssl cache (proxy.config.ssl.session_cache ==
1) or the Traffic Server cache (proxy.config.ssl.session_cache == 2). In
either case SSL_CTX_set_timeout is called. Or if it isn't called, openssl
sets the timeout for the CTX to 300 seconds. All sessions are created with
that timeout value. Whenever a session is possibly going to be reused (due
to a ticket or a session object fetched from cache), the timeout value is
checked. If the timeout value has passed, the session object is rejected
(and removed from cache via the appropriate api).

So the phrase "Note: This option has no affect when using the
Traffic Server session cache (option 2 in proxy.config.ssl.session_cache)"
is incorrect and should be removed from our docs.
Post by Dk Jack
Hi,
I am trying to understand the ssl cache timeout in ATS. According to the
documentation for proxy.config.ssl.session_cache, a default value of 2 is
chosen if its not configured. For proxy.config.ssl.session_cache.timeout, a
default value of 0 is chosen, if its not configured which means ssl
cache_timeout is 300s. However, the note for session_cache_timeout says, if
the session_cache option is set to 2, the cache.timeout configuration is
irrelevant. If its irrelevant, what is the default cache timeout i.e. is it
still 300s or something else? I don't have either of these options
configured. Thanks.
Dk.
proxy.config.ssl.session_cache
<
https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache
Scope: CONFIG
Type: INT
Default: 2
ValueDescription
0 Disables the session cache entirely.
1 Enables the session cache using OpenSSL’s implementation.
2 Default. Enables the session cache using Traffic Server’s implementation.
This implentation should perform much better than the OpenSSL
implementation.
proxy.config.ssl.session_cache.timeout
<
https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache-timeout
Scope: CONFIG
Type: INT
Default: 0
This configuration specifies the lifetime of SSL session cache entries in
seconds. If it is 0, then the SSL library will use a default value,
typically 300 seconds. Note: This option has no affect when using the
Traffic Server session cache (option 2 in proxy.config.ssl.session_cache)
Dk Jack
2018-10-10 17:25:15 UTC
Permalink
Thanks Susan!
Post by Susan Hinrichs
Digging through the ATS and the openssl code, the
proxy.confg.ssl.session_cache.timeout always has effect regardless of
whether we are using the openssl cache (proxy.config.ssl.session_cache ==
1) or the Traffic Server cache (proxy.config.ssl.session_cache == 2). In
either case SSL_CTX_set_timeout is called. Or if it isn't called, openssl
sets the timeout for the CTX to 300 seconds. All sessions are created with
that timeout value. Whenever a session is possibly going to be reused (due
to a ticket or a session object fetched from cache), the timeout value is
checked. If the timeout value has passed, the session object is rejected
(and removed from cache via the appropriate api).
So the phrase "Note: This option has no affect when using the
Traffic Server session cache (option 2 in proxy.config.ssl.session_cache)"
is incorrect and should be removed from our docs.
Post by Dk Jack
Hi,
I am trying to understand the ssl cache timeout in ATS. According to the
documentation for proxy.config.ssl.session_cache, a default value of 2 is
chosen if its not configured. For
proxy.config.ssl.session_cache.timeout, a
Post by Dk Jack
default value of 0 is chosen, if its not configured which means ssl
cache_timeout is 300s. However, the note for session_cache_timeout says,
if
Post by Dk Jack
the session_cache option is set to 2, the cache.timeout configuration is
irrelevant. If its irrelevant, what is the default cache timeout i.e. is
it
Post by Dk Jack
still 300s or something else? I don't have either of these options
configured. Thanks.
Dk.
proxy.config.ssl.session_cache
<
https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache
Post by Dk Jack
Scope: CONFIG
Type: INT
Default: 2
ValueDescription
0 Disables the session cache entirely.
1 Enables the session cache using OpenSSL’s implementation.
2 Default. Enables the session cache using Traffic Server’s
implementation.
Post by Dk Jack
This implentation should perform much better than the OpenSSL
implementation.
proxy.config.ssl.session_cache.timeout
<
https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-session-cache-timeout
Post by Dk Jack
Scope: CONFIG
Type: INT
Default: 0
This configuration specifies the lifetime of SSL session cache entries in
seconds. If it is 0, then the SSL library will use a default value,
typically 300 seconds. Note: This option has no affect when using the
Traffic Server session cache (option 2 in proxy.config.ssl.session_cache)
Loading...