Re: [squid-users] Does squid support TLS ticket based SSL session reuse?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 20 Jun 2013 18:05:35 +1200

On 20/06/2013 5:50 p.m., Ahmed Talha Khan wrote:
> I must say that the answer has confused me more.
>
>
>>> Does squid support SSL session reuse? If so then is it based on the
>>> older ssl session_identifiers or the TLS ticket scheme?
>>
>> Maybe, and Unknown.
>>
> What do you mean when you say unknown? Do you mean that if the origin
> server supports ssl session re-use using ticket, squid will only relay
> that ticket to the client?Or it will supply a new ticket?

Squid simply relays blocks of octets between OpenSSL and the other end
of the connection.
What is supported, and how it is performed is entirely dependent on
those ends - thus "maybe" about the support question. The squid.conf SSL
settings just expose the library config settings, which are also passed
to the library as-is during setup of the connection. What the library
uses to support any given flag is entirely beyond Squid - so "unkown"
about the implementation specific question.

>>> The next question is that if it does support the session reuse, how is
>>> the session cache maintained by squid?
>>
>> Squid does not maintain SSL session cache. Squid simply relays details to
>> and from OpenSSL. What happens in there is up to yoru OpenSSL lirary
>> configuration.
>>
>> Squid ss_crtd and validator features maintains a cache of *certificates*
>> which have been generated or seen in the current traffic.
>>
> My question was not related to certificates. I wanted to ask about ssl
> sessions reuse.
>
>>> Also will the session reuse functionality be available both between
>>> client-squid and squid-orginserver.
>>
>> No. client-squid and squid-origin traffic is unrelated. HTTP/1.1 contains
>> multiplexing which means any request may arrive in any client connection and
>> go out any suitable server connection.
>>
> What I meant to ask was whether squid offers the ssl session re-use
> capability on the client side?

Squid uses the same SSL context structure created by the library to
initialize all new client connections. The library may, or may not
support session re-use (may or may not support "session" at all even).
This is simply outside of Squid.

Amos
Received on Thu Jun 20 2013 - 06:05:50 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 20 2013 - 12:00:05 MDT