#1006 closed defect (wontfix)
two more server listen 443(ssl), none-default server's ssl_session_cache is out of work
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | nginx-core | Version: | 1.9.x |
| Keywords: | openssl ssl_session_cache | Cc: | |
| uname -a: | 2.6.32-573.22.1.el6.x86_64 | ||
| nginx -V: | 1.9.15 | ||
Description
server{
listen 443 ssl default_server;
server_name a.com;
...
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 30m;
}
server{
listen 443 ssl;
server_name b.com;
...
ssl_session_cache none;
}
#cat /etc/hosts
127.0.0.1 a.bom
127.0.0.1 b.com
#curl https://b.com/
will enter "ngx_ssl_new_session" function
read openssl and nginx code, call path is:
(1)s->session_ctx->get_session_cb (s3_srvr.c:1045) ->nginx default server a.com
(2)ngx_http_ssl_servername (s3_srvr.c:1263)
(3)s->cert->cert_cb (s3_srvr.c:1427) ->b.com server
(4)s->session_ctx->new_session_cb (ssl_lib.c:2644) ->a.com server(default server)
PS:openssl-1.0.2h
Change History (3)
follow-up: 2 comment:1 by , 8 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
follow-up: 3 comment:2 by , 8 years ago
if we parse tlsext server_name (ssl_scan_clienthello_tlsext) before generate/get session, we can get the ctx.
whether this approach can solve the problem?
Replying to mdounin:
Yes, that's expected behaviour. Sessions are saved/restored by OpenSSL in context of the main server, as requested server name can be only known after a session is restored.
comment:3 by , 8 years ago
Replying to cjhust1986@…:
if we parse tlsext server_name (ssl_scan_clienthello_tlsext) before generate/get session, we can get the ctx.
whether this approach can solve the problem?
This is not something can be done by nginx, it will require modifications of the OpenSSL library.
Yes, that's expected behaviour. Sessions are saved/restored by OpenSSL in context of the main server, as requested server name can be only known after a session is restored.