Ok lets assume that my library does support tickets. The end-server also does that. Now how will squid manage those tickets? Will it simply relay the ticket coming from the origin server side to the client and vice-versa? On Thu, Jun 20, 2013 at 11:05 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 20/06/2013 5:50 p.m., Ahmed Talha Khan wrote: >> >> I must say that the answer has confused me more. >> >> >>>> Does squid support SSL session reuse? If so then is it based on the >>>> older ssl session_identifiers or the TLS ticket scheme? >>> >>> >>> Maybe, and Unknown. >>> >> What do you mean when you say unknown? Do you mean that if the origin >> server supports ssl session re-use using ticket, squid will only relay >> that ticket to the client?Or it will supply a new ticket? > > > Squid simply relays blocks of octets between OpenSSL and the other end of > the connection. > What is supported, and how it is performed is entirely dependent on those > ends - thus "maybe" about the support question. The squid.conf SSL settings > just expose the library config settings, which are also passed to the > library as-is during setup of the connection. What the library uses to > support any given flag is entirely beyond Squid - so "unkown" about the > implementation specific question. > > > >>>> The next question is that if it does support the session reuse, how is >>>> the session cache maintained by squid? >>> >>> >>> Squid does not maintain SSL session cache. Squid simply relays details to >>> and from OpenSSL. What happens in there is up to yoru OpenSSL lirary >>> configuration. >>> >>> Squid ss_crtd and validator features maintains a cache of *certificates* >>> which have been generated or seen in the current traffic. >>> >> My question was not related to certificates. I wanted to ask about ssl >> sessions reuse. >> >>>> Also will the session reuse functionality be available both between >>>> client-squid and squid-orginserver. >>> >>> >>> No. client-squid and squid-origin traffic is unrelated. HTTP/1.1 contains >>> multiplexing which means any request may arrive in any client connection >>> and >>> go out any suitable server connection. >>> >> What I meant to ask was whether squid offers the ssl session re-use >> capability on the client side? > > > Squid uses the same SSL context structure created by the library to > initialize all new client connections. The library may, or may not support > session re-use (may or may not support "session" at all even). This is > simply outside of Squid. > > Amos -- Regards, -Ahmed Talha Khan
