Directive can have multiple meanings. Each variant is separated with horizontal line
[edit] ssl_session_cache
| Syntax: |
ssl_session_cache off | none | [ builtin [: size ]] [ shared : name : size ] |
| Default: |
none |
| Context: |
http server |
| Reference: |
ssl_session_cache |
The directive sets the types and sizes of caches to store the SSL sessions.
The cache types are:
- off -- Hard off: nginx says explicitly to a client that sessions can not reused.
- none -- Soft off: nginx says to a client that session can be resued, but nginx actually never reuses them. This is workaround for some mail clients as ssl_session_cache may be used in mail proxy as well as in HTTP server.
- builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions. Note: there appears to be a memory fragmentation issue using this method, please take that into consideration when using this. See "References" below.
- shared -- the cache is shared between all worker processes. The size of the cache is assigned in bytes: 1 MB cache can contain roughly 4000 sessions. Each shared cache must be given an arbitrary name. A shared cache with a given name can be used in several virtual hosts.
It's possible to use both types of cache — builtin and shared — simultaneously, for example:
ssl_session_cache builtin:1000 shared:SSL:10m;
Bear in mind however, that using only shared cache, i.e., without builtin, should be more effective.
For Nginx versions below 0.8.34 this directive shouldn't be set to 'none' or 'off' if ssl_verify_client is set to 'on' or 'optional'.
- Note that for session resumption to work you'll need to have, at least, the server configured as default for the SSL socket. Like this:
This is so because session resumption happens before any TLS extensions are enabled, namely Server Name Identification (SNI). The ClientHello message requests a session ID from a given IP address (server). For that to work the default server setting is required.
A preferred approach is to move the ssl_session_cache directive to the http context. The (minor) downside is that all configured virtual hosts get the same SSL cache settings.
Module: HttpSslModule
[edit] ssl_session_cache
syntax: ssl_session_cache [builtin[:size [shared:name:size]
default: builtin:20480
context: mail, server
The directive sets the types and sizes of caches to store the SSL sessions.
The cache types are:
- builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions.
- shared -- the cache is shared between all worker processes. The size of cache is assigned in the bytes, 1 MB cache can contain about 4000 sessions. Each shared cache must have arbitrary name. Cache with the same name can be used in several virtual servers.
ssl_session_cache builtin:1000 shared:SSL:10m;
However, the only shared cache usage without that builtin should be more effective.
Module: MailSslModule