Opened 8 years ago
Closed 21 months ago
#927 closed enhancement (wontfix)
Set $ssl_session_reused to "t" for session ticket reuse and set $ssl_session_id with session tickets
| Reported by: | Neil Craig | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.9.x |
| Keywords: | tls session ticket variable ssl | Cc: | |
| uname -a: | Linux ip-10-13-145-208 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.9.12
built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/current/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/default-error.log --http-log-path=/var/log/nginx/default-access.log --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=gtmdaemon --group=gtmdaemon --with-http_realip_module --with-http_v2_module --with-http_ssl_module --with-http_geoip_module --with-http_image_filter_module --with-pcre-jit --with-ipv6 --with-file-aio --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' --add-module=/tmp/tmpTahEEN/BUILD/nginx-1.9.12/headers-more-nginx-module --add-module=/tmp/tmpTahEEN/BUILD/nginx-1.9.12/naxsi/naxsi_src --add-module=/tmp/tmpTahEEN/BUILD/nginx-1.9.12/nginx-module-vts --with-openssl=/tmp/tmpTahEEN/BUILD/nginx-1.9.12/openssl-1.0.2g |
||
Description
Hi
I've got an NGINX setup which offers TLS session tickets which work just fine but i only found that out after a bit of digging because my access logging which logs $ssl_session_reused and $ssl_session_id showed nothing for either value and thus I thought session tickets were not working.
So, i'd like to ask if it's possible to perhaps extend/set as follows under session tickets:
$ssl_session_reused to "t" when session tickets are in use
$ssl_session_id to the session ticket ID
This would enable me and others to log (etc.) session ticket usage, otherwise it's a bit of blind faith.
It'd also be really nice to note in the docs (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables) the current info is for the 1st gen server-side TLS sessions as i think it's perhaps a bit too implicit currently.
Cheers
Neil
Change History (5)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
Apologies for the delay in response, i was assuming i'd get an email.
WRT session ID, i'd seen that in the openssl s_client output - understood.
WRT session_reuse - it would be massively helpful to have an indicator in the $ssl_session_reuse var as we'll have a large number of NGINX servers and thus checking them via openssl or similar is not practical in a trivial manner, also it would be extremely useful as a reporting metric in access logs (i am logging this value already). Perhaps it'd be possible to add this conditionally on the underlying SSL lib supporting it?
Cheers
comment:3 by , 8 years ago
Hi again
Just wondered if the above might be worth looking at now that NGINX compiles against openssl 1.1.
Cheers
comment:4 by , 7 years ago
| Keywords: | ssl added |
|---|
comment:5 by , 21 months ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
I've looked into this in more detail, and it turns out I was wrong: SSL_SESSION_has_ticket() only works on client side of an SSL connection, and cannot be used to distinguish session resumption based on session cache or session tickets on the server. It does not look like there is an easy way to distinguish different ways of session resumption on the server.
Given that tickets are supported by all major clients, and TLSv1.3 essentially makes tickets support mandatory, trying to implement this without readily available interfaces in the SSL libraries probably does not worth the effort.
When using session tickets, there is such thing as "session ticket id" - tickets are just encrypted data. Session ID as available after a session is resumed using a ticket is an ID generated by the client, see RFC 5077:
As this ID is generated by a client when presenting a ticket, it is not available during first connection. Note that it may also not be available during subsequent connections, or be different in different connections.
In either case
$ssl_session_reusedwill correctly show if session is reused or not (either using session cache or session tickets).You can easily check if session tickets work using
openssl s_client, e.g.:$ openssl s_client -connect 127.0.0.1:8443 -reconnect CONNECTED(00000003) ... TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 54 d2 3e 3b 32 c5 cd 1c-91 d8 4d 7a 7c 9d 24 f8 T.>;2.....Mz|.$. 0010 - 4b 78 0c 3d 3f 20 ac aa-44 bb a7 ee 89 19 1f a7 Kx.=? ..D....... ... drop connection and then reconnect CONNECTED(00000003) ... TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 54 d2 3e 3b 32 c5 cd 1c-91 d8 4d 7a 7c 9d 24 f8 T.>;2.....Mz|.$. 0010 - 4b 78 0c 3d 3f 20 ac aa-44 bb a7 ee 89 19 1f a7 Kx.=? ..D....... ...It may make sense to introduce additional information to make it possible to find out if a session was reused using session tickets or session cache (and additional value in the
$ssl_session_reusedvariables looks like a good solution). But an API to do this,SSL_SESSION_has_ticket(), is only available in OpenSSL 1.1.0, which is not yet released. And finding this in at least some previous versions would not be possible withOPENSSL_NO_SSL_INTERNdefined.