Opened 7 years ago
Closed 7 years ago
#1338 closed defect (invalid)
ssl_session_cache get incorrect shm zone
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.12.x |
Keywords: | ssl | Cc: | yoyo@… |
uname -a: | Linux localhost.localdomain 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: | nginx/1.12.0 and all released |
Description
ssl session of b.com will set to shm zone SA !!!!!!!!
conf:
server {
listen 443 ssl;
server_name *.a.com;
ssl_session_cache shared:SA:5m;
......
}
server {
listen 443 ssl;
server_name *.b.com;
ssl_session_cache shared:SB:5m;
......
}
fix1:
ngx_http_ssl_servername:
if (sscf->ssl.ctx) {
......
c->ssl->session_ctx = sscf->ssl.ctx;
}
or fix2:
ngx_ssl_new_session:
ngx_ssl_get_cached_session:
replace c->ssl->session_ctx by SSL_get_SSL_CTX(ssl_conn);
or both.
Change History (5)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Session resumption happens in the context of the default server. This is how OpenSSL works, and there isn't much we can do about this.
Note well that the "fixes" suggested won't actually fix anything, but will break such configurations instead. See 97f102a13f33 and ticket #235 for additional details.
comment:3 by , 7 years ago
Why not reset the session_ctx in ngx_http_ssl_servername() with ssl context together?
if (sscf->ssl.ctx) { ...... c->ssl->session_ctx = sscf->ssl.ctx; }
comment:4 by , 7 years ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
comment:5 by , 7 years ago
Resolution: | → invalid |
---|---|
Status: | reopened → closed |
As already explained, session resumption happens in the context of the default server. The SNI callback (ngx_http_ssl_servername()
) is called only after the session is either resumed or not. That is, if a default server uses cache A, and some SNI-based virtual host uses cache B, you will be able to store a session to B, but won't be able to resume this session - as cache A will be used during session resumption (because it happens before the SNI callback).
Accordingly, if for some reason you want to configure different session caches in different servers, you have to use real servers with different listen sockets (usually, servers listening on different IP addresses), and not just SNI-based virtual servers.
also ngx_ssl_session_ticket_key_callback