TLS - Config - Cache

Synopsis

Subsection of tls-config_tls-common.

Session resumption / fast reauthentication cache.

The cache contains the following information:

session Id

unique identifier managed by SSL

User-Name

from the Access-Accept

Stripped-User-Name

from the Access-Request

Cached-Session-Policy

from the Access-Accept

The Cached-Session-Policy is the name of a policy that should be applied to the cached session. This policy can be used to assign VLANs, IP addresses, etc. It serves as a useful way to re-apply the policy from the original Access-Accept to the subsequent Access-Accept for the cached session. On session resumption, these attributes are copied from the cache and placed into the reply list. You probably also want use_tunneled_reply = yes when using fast session resumption.

Processing Sections

Any.

Expansions

None.

Directives

enable
Syntax

enable = boolean

Default

yes

Description

Enable it. The default is no. Deleting the entire cache subsection also disables caching. You can disallow resumption for a particular user by adding Allow-Session-Resumption=no to the control item list.

Note
 If enable = no, you CANNOT enable resumption for just one user by setting the above attribute to yes.
lifetime
Syntax

lifetime = string

Default

24 hours

Description

Lifetime of the cached entries, in hours. The sessions will be deleted after this time.

max_entries
Syntax

max_entries = integer

Default

255

Description

The maximum number of entries in the cache. Set to "0" for "infinite". This could be set to the number of users who are logged in…​ which can be a LOT.

name
Syntax

name = ++

Default

string

Description

Internal name of the session cache. Used to distinguish to which TLS context the sessions belong. If no value is input, the server will generate a random value. This will change across server restart so you MUST set the name if you want that value to remain constant (persist) for each session.

persist_dir
Syntax

persist_dir = string

Default

${logdir}/tlscache

Description

Simple directory-based storage of sessions. Two files per session will be written, the SSL state and the cached VPs. This will persist session across server restarts. The server will need write permissions, and the directory should be secured. The following script will remove old files from this location periodically:

find ${logdir}/tlscache -mtime +2 -exec rm -f {} \;

This feature REQUIRES name option be set above.