SSLCACHE (JANUS DEFINE parameter)

From m204wiki
(Redirected from SSLCACHE)
Jump to navigation Jump to search

SSLCACHE xxxx — number of cache entries for SSL sessions

SSLCACHE is a parameter on JANUS DEFINE, which defines and sets characteristics of a Janus port.

This parameter specifies the number of entries in virtual storage to be allocated for caching information related to this port's SSL sessions. A Janus port whose definition includes an SSL parameter supports Janus Network Security SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encrypted sessions.

The SSL cache helps limit the CPU overhead of establishing an SSL session. It does not reduce the effectiveness of security, but it does reduce the overhead at the cost of a relatively small amount of virtual storage.

SSL sessions can persist for a length of time determined by either the client or server. Janus Network Security limits the life-span of SSL V2 connection sessions to the lesser of 2 minutes or the value of SSLMAXAGE, and it limits SSL V3 and TLS connections to 1440 minutes (24 hours). For most sites, the default SSLCACHE should be sufficient.

Each session requires approximately 512 bytes per entry to cache session related information. A further SSLMAXCERTL bytes are required to hold server certificates for CLSOCK ports, or to hold client certificates for Janus server ports that request them by including SSLCLCERT or SSLCLCERTR.

If the SSLCACHE value is too small, and a larger than anticipated number of users attempt to access an SSL-secured port, entries in the cache are removed on a least-recently-used basis. This may lead to greater overhead for re-execution of the CPU intensive initial public-key/private-key encryption/decryption operations. The indicator that the SSLCACHE value is not large enough to hold all the contemporaneous SSL sessions is a non-zero value in the "SesNF" column of the JANUS SSLSTAT command result. This is not necessarily problematic as long as the SesNF value is relatively small, because it is not unreasonable to suffer an occasional lost session in order to reduce virtual storage.

Note: SSLCACHE is specified in entries, and the default SSLCACHE allocation is the number of storage entries required for 16 times the number of threads defined on the port. So by default, 10 threads would result in 160 entries; at 512 bytes per entry, this would require 81,920 bytes of virtual storage. 100 threads would require 819,200 bytes.

The default SSLCACHE value is likely to be excessively large for CLSOCK ports that only connect to a single or to a few servers. All CLSOCK connections to a particular server use the same SSL session regardless of how many different threads initiate connections.

SSLCACHE is valid for SRVSOCK, CLSOCK (but not DEBUGGERCLIENT, WEBSERV, OPENSERV, and SDS port types.

See also