Opened 5 years ago

Closed 5 years ago

#1674 closed defect (invalid)

SSL session ID is not reused when other server disable session cache

Reported by: ruoshan@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.15.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.15.6
built by clang 10.0.0 (clang-1000.11.45.5)
built with OpenSSL 1.0.2p 14 Aug 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.15.6 --sbin-path=/usr/local/Cellar/nginx/1.15.6/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module

Description

the following command failed to reuse the SSL session ID, when nginx is configured like the following.

openssl s_client -connect 127.0.0.1:8443 -no_ticket -servername "two.test.me" -reconnect

corresponding nginx conf:

daemon off;
master_process off;

events {
    worker_connections 1024;
}

http {
    server {
        listen 8443 ssl;
        server_name one.test.me;

        #ssl_session_cache shared:my_cache:10m;
        ssl_certificate ./certs/cert-wild.pem;
        ssl_certificate_key ./certs/key-wild.pem;
        ssl_session_timeout  5m;

        location / {
            return 201;
        }
    }

    server {
        listen 8443 ssl;
        server_name two.test.me;

        ssl_session_cache shared:my_cache:10m;
        ssl_certificate ./certs/cert-wild.pem;
        ssl_certificate_key ./certs/key-wild.pem;
        ssl_session_timeout  5m;

        location / {
            return 202;
        }
    }
}

the "bug" causing this seems to be in the ngx_http_ssl_servername.
that func didn't update the c->ssl->connection->session_ctx to the right one after we have the SNI info. it still use the "first" ssl session CTX of the first server block.

may be it should be fixed in openssl.

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

Session caching/restoring happens in the context of the default server, before the SNI callback. This is how OpenSSL works, and this is why c->ssl->connection->session_ctx was introduced in the first place - to access configuration of the SSL context where sessions are cached. See ticket #235 for details.

Note: See TracTickets for help on using tickets.