20

SSLlabs still show the following message even after i added the ssl_session_cache

Session resumption (caching)    No (IDs assigned but not accepted)

Here is my full configuration 

server {
    listen       443 spdy; #Change to 443 when SSL is on
    ssl on; 
    ssl_certificate    /etc/ssl/domain.com_bundle.crt; 
    ssl_certificate_key  /etc/ssl/domain.com.key.nopass;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    #ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_buffer_size 8k;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/trustchain.crt;
    resolver 8.8.8.8 8.8.4.4;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    #rest config goes here
    }
Improve this question

2 Answers 2

Reset to default
44

SSL Labs doesn't assume that SNI is available to the client, so it only tests the default virtual server.

The problem could be that you don't have SSL session caching enabled on the default server. To enable it, you just need to add that ssl_session_cache line to your default_server. Alternatively, if you'd like that configuration the work across all of your nginx virtual servers (which I would recommend), you could move the ssl_session_cache line outside of the server declaration, so it applies to all of them.

Here's the configuration I use:

# All your server-wide SSL configuration

# Enable SSL session caching for improved performance
# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
ssl_session_cache shared:ssl_session_cache:10m;

server {
    # All your normal virtual server configuration
}

Sources:

  1. I tested both options on my own server and SSL Labs loves it!
  2. This thread on the Nginx mailing list
Improve this answer
4
  • But this was already part of the OP its config via ssl_session_cache shared:SSL:10m; or was it edited afterwards?
    – Karussell
    Commented Jun 27, 2017 at 9:14
  • 1
    @Karussel The important part is where you put the ssl_session_cache line. You need it to apply to the default server, so either put it in the global config (as shown above), or in your default_server config block.
    – dampkwab
    Commented Jun 28, 2017 at 1:55
  • So it would not work in the server { config as shown from the OP?
    – Karussell
    Commented Jun 28, 2017 at 17:38
  • Nope. When a client connects it first establishes or resumes a session, which is what the ssl_session_cache is used for. That server block doesn't take effect until later in the exchange, when SNI is used to determine which virtual server to connect to.
    – dampkwab
    Commented Jun 29, 2017 at 1:50
2

when you use one server, it be correct. If you have load balance before servers, it may be like this. Because of request can not transmit to same server before. I suggest ssl_session_tickets.

Improve this answer
1
  • 1
    Could you be more specific?
    – Izzet Yildirim
    Commented Apr 18, 2017 at 6:30

Not the answer you're looking for? Browse other questions tagged or ask your own question.