[openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jan 6 06:21:13 UTC 2016


On Tue, Jan 05, 2016 at 02:44:32PM -0800, Zi Lin wrote:

> Hi OpenSSL devs,
> 
> I want to propose a patch that makes OpenSSL compatible with
> asynchronous session lookup during session resumption.

I think this is a bad idea.  If you want distributed session caches
use session tickets, and implement a distributed mechanism for
rotating the keys across the server farm.  Actually, there's an RT
ticket for that, but the code is not quite what I'd like to see
adopted, and is no longer compatible with the substantially modified
SSL library in 1.1.0.  So I'll likely just implement session ticket
key management from scratch when I get a chance.

I would strongly recommend against a distributed session store.

-- 
	Viktor.


More information about the openssl-dev mailing list