What is the default Nginx SSL session cache size and why is it insufficient?

The default is `builtin:1000`, which stores 1000 sessions per worker process with no sharing between workers. On any multi-worker Nginx instance under real traffic, this fills within seconds. Sessions are evicted, clients can't resume, and every new request triggers a full TLS handshake. Switch to `shared:SSL:10m` minimum.

What is the difference between ssl_session_cache shared vs builtin in Nginx?

`builtin` allocates an OpenSSL-internal cache per worker process — isolated, not shared. `shared` creates a single named cache in shared memory accessible by all worker processes. For any production deployment with multiple workers, `shared` is mandatory. `builtin` is only useful for single-worker test environments.

Should I enable or disable ssl_session_tickets in Nginx?

Set `ssl_session_tickets off` unless you have a robust ticket key rotation mechanism in place. Session tickets encode session state in a client-side cookie encrypted with a server key. If that key is static (Nginx default), it never rotates — compromising it retroactively decrypts past sessions, violating forward secrecy. Disabling tickets forces server-side session cache reuse, which is safer and easier to manage.

How to Fix Nginx SSL Session Cache Full: Eliminating TLS Handshake Storms in Production

Threat/Impact Level: HIGH | Exploitability/Downtime Risk: HIGH | Time to Fix: 10 mins

TL;DR

What broke: ssl_session_cache is set too small (or left at default builtin:1000), causing Nginx to drop SSL session tickets, forcing every client into a full TLS 1.2/1.3 handshake on every request.
How to fix it: Replace builtin cache with a shared cache sized to your concurrent connection count — minimum shared:SSL:10m for most production workloads.
Fast path: Use our Client-Side Sandbox below to auto-refactor this — paste your nginx.conf and get a corrected config without sending your certs or hostnames anywhere.

The Incident (What does the error mean?)

You'll see this in /var/log/nginx/error.log:

2024/01/15 03:42:17 [warn] 1234#1234: SSL_CTX_set_session_cache_mode() failed (SSL: error:1406C0BB)
2024/01/15 03:42:18 [warn] 1234#1234: session cache is full, discarding session

Or under high load, a flood of:

[warn] session cache is full, discarding session

Immediate consequence: Every discarded session means the next connection from that client cannot resume. It falls back to a full TLS handshake — RSA key exchange or ECDHE, certificate validation, the full chain. On a 10k RPS endpoint, this is a CPU and latency catastrophe. You'll see Nginx worker CPU spike to 100% and P99 latency climb 200–800ms depending on cipher suite and certificate chain depth.

The Attack Vector / Blast Radius

This is a resource exhaustion cascade, not just a config warning you can ignore.

The default builtin:1000 stores ~1000 sessions per worker process. On a 16-worker Nginx instance, that's 16 isolated caches — sessions are not shared across workers. A client hitting worker 3 gets no benefit from worker 7's cache. Under any meaningful load, cache thrash begins immediately.

Cascading failure chain:

Cache fills → sessions discarded → full handshakes forced
Full handshakes spike CPU on Nginx workers (asymmetric crypto is expensive)
Worker CPU saturation → request queue backs up
Upstream health checks start timing out → load balancer marks backends unhealthy
Traffic concentrates on remaining backends → they saturate faster
Total service degradation or outage from a single misconfigured directive

Secondary risk: With ssl_session_tickets off not explicitly set, you're also leaking session ticket key material across restarts unless you've configured a static ticket key rotation — a separate TLS security issue (BEAST/LUCKY13 adjacent).

How to Fix It (The Solution)

Basic Fix

Switch from builtin (per-worker) to shared (cross-worker) cache and size it correctly. Rule of thumb: 1MB stores ~4000 sessions. For 10k concurrent SSL connections, use 10m.

 http {
     server {
-        ssl_session_cache    builtin:1000;
-        ssl_session_timeout  5m;
+        ssl_session_cache    shared:SSL:10m;
+        ssl_session_timeout  1d;
+        ssl_session_tickets  off;
     }
 }

Enterprise Best Practice

For high-traffic production (100k+ concurrent connections), tune aggressively and layer in OCSP stapling to eliminate client-side cert validation round trips:

 http {
+    # Shared across ALL workers — critical for multi-worker deployments
-    ssl_session_cache    builtin:1000;
-    ssl_session_timeout  5m;
+    ssl_session_cache    shared:SSL:50m;
+    ssl_session_timeout  4h;
+    ssl_session_tickets  off;
+
+    # Eliminate OCSP lookup latency
+    ssl_stapling         on;
+    ssl_stapling_verify  on;
+    resolver             8.8.8.8 1.1.1.1 valid=300s;
+    resolver_timeout     5s;
+
+    # Restrict to TLS 1.2+ and fast cipher suites
+    ssl_protocols        TLSv1.2 TLSv1.3;
+    ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
 }

Cache sizing formula:

ssl_session_cache shared:SSL:[N]m where N = ceil(expected_concurrent_ssl_sessions / 4000)
Monitor with: nginx -V 2>&1 | grep -o 'with-http_ssl_module' and curl http://localhost/nginx_status

💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.

Prevention in CI/CD

1. Nginx config linting with gixy (Nginx static analyzer):

pip install gixy
gixy /etc/nginx/nginx.conf
# gixy flags ssl_session_cache misconfigs under SSRF and perf rule sets

2. Checkov IaC scanning — if you're templating Nginx configs via Terraform templatefile() or Helm:

checkov -d ./terraform --check CKV_NX_*

3. OPA/Conftest policy for nginx.conf in your pipeline:

# policy/nginx_ssl.rego
package nginx

deny[msg] {
    input.http.ssl_session_cache == "builtin:1000"
    msg := "ssl_session_cache must use shared cache, not builtin:1000"
}

deny[msg] {
    not input.http.ssl_session_cache
    msg := "ssl_session_cache directive is missing"
}

conftest test nginx.conf --policy policy/

4. Runtime alerting — Prometheus + Nginx exporter:

# Alert if SSL handshake rate spikes (proxy for cache miss storm)
- alert: NginxSSLHandshakeStorm
  expr: rate(nginx_connections_accepted_total[1m]) / rate(nginx_http_requests_total[1m]) > 0.8
  for: 2m
  annotations:
    summary: "High ratio of new connections to requests — SSL session reuse may be failing"