Opened 6 years ago

Closed 6 years ago

#1628 closed defect (invalid)

$ssl_session_id is not set when client connected via MSIE11

Reported by: nskforward@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.14.x
Keywords: ssl Cc:
uname -a: Linux 20dc721b8293 4.9.93-boot2docker #1 SMP Thu Jul 19 18:29:50 UTC 2018 x86_64 Linux
nginx -V: nginx/1.14.0

Description

$ssl_session_id is not set when client connected via MSIE11

Steps:
1) Create self-signed certificate and key
2) Appropriately configure NGINX to use newly created key and certificate
3) Configure nginx to proxy dynamic to PHP-FPM with additional parameter:
fastcgi_param X-SSL-Session-Id $ssl_session_id;
4) Open phpinfo page from Firefox browser - as result we see correct behavior:
$_ENV['X-SSL-Session-Id'] 9b3985b6f41dc77b46c5d23fdebd12525041c8475036ebd7607d9ba927701aec
5) Open the same page in IE11 - as result we see empty $_ENV['X-SSL-Session-Id'] even after page refresh

Change History (4)

comment:1 by nskforward@…, 6 years ago

The same wrong behavior in MS Edge browser

comment:2 by nskforward@…, 6 years ago

I upgraded nginx version to 1.15.3 and issue solved

comment:3 by nskforward@…, 6 years ago

Sorry, nginx version is not depended. The following setting solves the issue:
ssl_session_tickets off;

Last edited 6 years ago by nskforward@… (previous) (diff)

comment:4 by Maxim Dounin, 6 years ago

Resolution: invalid
Status: newclosed

The $ssl_session_id variable represents SSL session id. It can be available or not depending on the configuration and the client behaviour, in particular:

  • It is not available when not using neither SSL session cache nor session tickets.
  • When using session tickets, it is not available during the initial connection. When a session is reused, it is the client responsibility to choose a session id, and it can be either available or not depending on the client behaviour, see RFC 5077.

Don't expect that $ssl_session_id is always available, it is not. Moreover, note that session id can be arbitrary selected by the client when using session tickets, and should be handled accordingly.

Note: See TracTickets for help on using tickets.