You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/05/07 14:08:13 UTC

[GitHub] [apisix] kwanhur opened a new issue, #7005: feat: As a user, I want to make SSL session reusable by id across instances

kwanhur opened a new issue, #7005:
URL: https://github.com/apache/apisix/issues/7005

   ### Description
   
   As known, build a new SSL connection takes two round time trips between client and server under TLS1.2 or lower.
   
   So, to reduce the connection building cost, especially in a big cluster of APISIX, hope that reuse the SSL session across different instances. 
   
   For example, clientA built a SSL connection with APISIX instanceA, next time clientA reach APISIX instanceB, if the SSL session can be reused, so clientA and instanceB have no need to build a new SSL connection.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] kwanhur commented on issue #7005: feat: As a user, I want to make SSL session reusable by id across instances

Posted by GitBox <gi...@apache.org>.

kwanhur commented on issue #7005:
URL: https://github.com/apache/apisix/issues/7005#issuecomment-1122244876

   Noop, it's not an outdated solution, it's an effective solution for TLS1.2 and below. 
   Although TLS1.3 supports by [a big amount of browsers](https://caniuse.com/?search=TLS1.3), but TLS1.2 still will be present along with TLS1.3 for decades.
   
   And now enable TLS1.2 by default, unless it has a plan to EOS(end of service) it recently.
   
   https://github.com/apache/apisix/blob/ab7a7675d2a1abb1f0299a8fd44e5f80435c2158/conf/config-default.yaml#L145


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #7005: feat: As a user, I want to make SSL session reusable by id across instances

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #7005:
URL: https://github.com/apache/apisix/issues/7005#issuecomment-1120403290

   We need to modify Nginx to rotate SSL tickets so it is safe to reuse the session. See https://github.com/apache/apisix/issues/2638


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #7005: feat: As a user, I want to make SSL session reusable by id across instances

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #7005:
URL: https://github.com/apache/apisix/issues/7005#issuecomment-1121877287

   Yes. But investing more resources in an outdated solution is not acceptable.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #7005: feat: As a user, I want to make SSL session reusable by id across instances

Posted by GitBox <gi...@apache.org>.

spacewander closed issue #7005: feat: As a user, I want to make SSL session reusable by id across instances
URL: https://github.com/apache/apisix/issues/7005


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] kwanhur commented on issue #7005: feat: As a user, I want to make SSL session reusable by id across instances

Posted by GitBox <gi...@apache.org>.

kwanhur commented on issue #7005:
URL: https://github.com/apache/apisix/issues/7005#issuecomment-1121147493

   Now APISIX support reuse SSL session cache locally by default.
   
   https://github.com/apache/apisix/blob/1b5c1900da517bb7d34d4b221aace7242345e78a/apisix/cli/ngx_tpl.lua#L557-L561


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #7005: feat: As a user, I want to make SSL session reusable by id across instances

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #7005:
URL: https://github.com/apache/apisix/issues/7005#issuecomment-1123155671

   Why not invest in SSL session ticket directly which is both supported in TLS 1.3 and TLS 1.2?
   
   It is very bad to invest in a outdated solution!!!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] kwanhur commented on issue #7005: feat: As a user, I want to make SSL session reusable by id across instances

Posted by GitBox <gi...@apache.org>.

kwanhur commented on issue #7005:
URL: https://github.com/apache/apisix/issues/7005#issuecomment-1120414805

   Emm, both ticket and ID can improve SSL session reuse. Here about reusing SSL session by id, just like Apache TrafficServer [SSL Session Reuse Plugin](https://docs.trafficserver.apache.org/en/9.0.x/admin-guide/plugins/ssl_session_reuse.en.html) support it with Redis.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #7005: feat: As a user, I want to make SSL session reusable by session id across instances

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #7005:
URL: https://github.com/apache/apisix/issues/7005#issuecomment-1123156128

   Considered unacceptable,


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #7005: feat: As a user, I want to make SSL session reusable by id across instances

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #7005:
URL: https://github.com/apache/apisix/issues/7005#issuecomment-1120419620

   It is possible to use session ID with OpenResty, like the https://github.com/openresty/lua-nginx-module#ssl_session_fetch_by_lua_block. But as the session ticket is the modern way (TLS 1.3 only uses session tickets to resume a session), I don't want to add session ID reuse across instances feature in APISIX.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org