[openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Jan 6 06:21:13 UTC 2016
On Tue, Jan 05, 2016 at 02:44:32PM -0800, Zi Lin wrote:
> Hi OpenSSL devs,
>
> I want to propose a patch that makes OpenSSL compatible with
> asynchronous session lookup during session resumption.
I think this is a bad idea. If you want distributed session caches
use session tickets, and implement a distributed mechanism for
rotating the keys across the server farm. Actually, there's an RT
ticket for that, but the code is not quite what I'd like to see
adopted, and is no longer compatible with the substantially modified
SSL library in 1.1.0. So I'll likely just implement session ticket
key management from scratch when I get a chance.
I would strongly recommend against a distributed session store.
--
Viktor.
More information about the openssl-dev
mailing list