Re: [squid-users] Does squid support TLS ticket based SSL session reuse?

From: Ahmed Talha Khan <auny87_at_gmail.com>
Date: Thu, 20 Jun 2013 11:11:24 +0500

Ok lets assume that my library does support tickets. The end-server
also does that. Now how will squid manage those tickets? Will it
simply relay the ticket coming from the origin server side to the
client and vice-versa?

On Thu, Jun 20, 2013 at 11:05 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 20/06/2013 5:50 p.m., Ahmed Talha Khan wrote:
>>
>> I must say that the answer has confused me more.
>>
>>
>>>> Does squid support SSL session reuse? If so then is it based on the
>>>> older ssl session_identifiers or the TLS ticket scheme?
>>>
>>>
>>> Maybe, and Unknown.
>>>
>> What do you mean when you say unknown? Do you mean that if the origin
>> server supports ssl session re-use using ticket, squid will only relay
>> that ticket to the client?Or it will supply a new ticket?
>
>
> Squid simply relays blocks of octets between OpenSSL and the other end of
> the connection.
> What is supported, and how it is performed is entirely dependent on those
> ends - thus "maybe" about the support question. The squid.conf SSL settings
> just expose the library config settings, which are also passed to the
> library as-is during setup of the connection. What the library uses to
> support any given flag is entirely beyond Squid - so "unkown" about the
> implementation specific question.
>
>
>
>>>> The next question is that if it does support the session reuse, how is
>>>> the session cache maintained by squid?
>>>
>>>
>>> Squid does not maintain SSL session cache. Squid simply relays details to
>>> and from OpenSSL. What happens in there is up to yoru OpenSSL lirary
>>> configuration.
>>>
>>> Squid ss_crtd and validator features maintains a cache of *certificates*
>>> which have been generated or seen in the current traffic.
>>>
>> My question was not related to certificates. I wanted to ask about ssl
>> sessions reuse.
>>
>>>> Also will the session reuse functionality be available both between
>>>> client-squid and squid-orginserver.
>>>
>>>
>>> No. client-squid and squid-origin traffic is unrelated. HTTP/1.1 contains
>>> multiplexing which means any request may arrive in any client connection
>>> and
>>> go out any suitable server connection.
>>>
>> What I meant to ask was whether squid offers the ssl session re-use
>> capability on the client side?
>
>
> Squid uses the same SSL context structure created by the library to
> initialize all new client connections. The library may, or may not support
> session re-use (may or may not support "session" at all even). This is
> simply outside of Squid.
>
> Amos

-- 
Regards,
-Ahmed Talha Khan
Received on Thu Jun 20 2013 - 06:11:30 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 20 2013 - 12:00:05 MDT