You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Qingshan Xie <xi...@yahoo.com> on 2010/12/05 01:30:47 UTC

[users@httpd] How to configure SSL-Proxy Session-Resumption?

Hello!

  We have a Reverse Proxy server, which initiates SSL connection to the backend 
server, functioning as a SSL client.  In order to enable Session-Resumption, 
should we configure SSLSessionCache and SSLSessionCacheTimeout?

Thanks, 
Q.Xie


      

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to configure SSL-Proxy Session-Resumption?

Posted by Rainer Jung <ra...@kippdata.de>.

On 05.12.2010 01:30, Qingshan Xie wrote:
> Hello!
>
>    We have a Reverse Proxy server, which initiates SSL connection to the backend
> server, functioning as a SSL client.  In order to enable Session-Resumption,
> should we configure SSLSessionCache and SSLSessionCacheTimeout?

AFAIR the reverse proxy does not implement session resumption for SSL 
backends. It neither uses its own SSL session cache nor the caching 
facilities provided by OpenSSL itself. It only uses its own SSL session 
caching when acting as an SSL server, not when acting as an SSL client.

It is not as bad as it sounds: the proxy - if configured correctly - 
uses HTTP Keep-Alive connections to the SSL backend and dispatches all 
incoming requests to a pool of backend connections. So when load 
increases you typically need much less backend connections and thus SSL 
handshakes than you would need for direct client communications.

I did a little experiment a few months ago, so there is a patch for 
Apache 2.2.x at 
http://people.apache.org/~rjung/patches/apache-2_2-revproxy_ssl_client_session.patch 
which uses Apache's internal session cache also for the SSL client in 
the reverse proxy. The patch is experimental. As far as I remember it 
did work, but there are some debug statements in it etc. It was 
developed using 2.2.15, but it does apply cleanly to the head of 2.2. 
When experimenting with the patch it will use the settings provided by 
SSLSessionCache and SSLSessionCacheTimeout.

Regards,

Rainer

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org