当前位置: 首页 > 工具软件 > Zebra_Session > 使用案例 >

代码干货 | nginx中session ticket重用Session提高https性能分析

韦修文
2023-12-01

本文来源于阿里云-云栖社区,原文点击这里


https会话建立初次使用session ticket的SSL握手流程如下:


     Client                                               Server

     ClientHello
    (empty SessionTicket extension)-------->
                                                     ServerHello
                                 (empty SessionTicket extension)
                                                    Certificate*
                                              ServerKeyExchange*
                                             CertificateRequest*
                                  <--------      ServerHelloDone
     Certificate*
     ClientKeyExchange
     CertificateVerify*
     [ChangeCipherSpec]
     Finished                     -------->
                                                NewSessionTicket
                                              [ChangeCipherSpec]
                                  <--------             Finished
     Application Data             <------->     Application Data


Figure 1: Message Flow for Full Handshake Issuing New Session Ticket

If the server successfully verifies the client's ticket, then it MAY renew the ticket by including a NewSessionTicket handshake message after the ServerHello in the abbreviated handshake. The client should start using the new ticket as soon as possible after it verifies the server's Finished message for new connections. Note that since the updated ticket is issued before the handshake completes, it is possible that the client may not put the new ticket into use before it initiates new connections. The server MUST NOT assume that the client actually received the updated ticket until it successfully verifies the client's Finished message.

而session重用时SSL握手简化为如下步骤:


   Client                                                Server
     ClientHello
     (SessionTicket extension)      -------->
                                                      ServerHello
                                  (empty SessionTicket extension)
                                                 NewSessionTicket
                                               [ChangeCipherSpec]
                                   <--------             Finished
     [ChangeCipherSpec]
     Finished                      -------->
     Application Data              <------->     Application Data

Figure 2: Message Flow for Abbreviated Handshake Using New Session
                              Ticket


使用session ticket机制可以提高ssl握手的效率,并节约有效的服务器计算资源.(另外一种是使用session cache)

nginx中使用 ssl_session_ticket_key file; 指令来配置用于加密或解密SSL session_ticket的密钥, 如果用了多个指令文件,则仅第一个指令文件中的密钥用来加密; 其它的密钥文件,并且第一个密钥文件都可以用做解密.


 展开全文

 类似资料: