Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1006 closed defect (wontfix)

two more server listen 443(ssl), none-default server's ssl_session_cache is out of work

Reported by: cjhust1986@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.9.x
Keywords: openssl ssl_session_cache Cc:
uname -a: 2.6.32-573.22.1.el6.x86_64
nginx -V: 1.9.15

Description

server{

listen 443 ssl default_server;
server_name a.com;
...

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 30m;

}

server{

listen 443 ssl;
server_name b.com;

...
ssl_session_cache none;

}

#cat /etc/hosts
127.0.0.1 a.bom
127.0.0.1 b.com

#curl https://b.com/
will enter "ngx_ssl_new_session" function

read openssl and nginx code, call path is:
(1)s->session_ctx->get_session_cb (s3_srvr.c:1045) ->nginx default server a.com
(2)ngx_http_ssl_servername (s3_srvr.c:1263)
(3)s->cert->cert_cb (s3_srvr.c:1427) ->b.com server
(4)s->session_ctx->new_session_cb (ssl_lib.c:2644) ->a.com server(default server)

PS:openssl-1.0.2h

Change History (3)

comment:1 follow-up: Changed 3 years ago by mdounin

  • Resolution set to wontfix
  • Status changed from new to closed

Yes, that's expected behaviour. Sessions are saved/restored by OpenSSL in context of the main server, as requested server name can be only known after a session is restored.

comment:2 in reply to: ↑ 1 ; follow-up: Changed 3 years ago by cjhust1986@…

if we parse tlsext server_name (ssl_scan_clienthello_tlsext) before generate/get session, we can get the ctx.
whether this approach can solve the problem?

Replying to mdounin:

Yes, that's expected behaviour. Sessions are saved/restored by OpenSSL in context of the main server, as requested server name can be only known after a session is restored.

comment:3 in reply to: ↑ 2 Changed 3 years ago by mdounin

Replying to cjhust1986@…:

if we parse tlsext server_name (ssl_scan_clienthello_tlsext) before generate/get session, we can get the ctx.
whether this approach can solve the problem?

This is not something can be done by nginx, it will require modifications of the OpenSSL library.

Note: See TracTickets for help on using tickets.