Opened 6 years ago
Closed 6 years ago
#1674 closed defect (invalid)
SSL session ID is not reused when other server disable session cache
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.15.x |
| Keywords: | Cc: | ||
| uname -a: | |||
| nginx -V: |
nginx version: nginx/1.15.6
built by clang 10.0.0 (clang-1000.11.45.5) built with OpenSSL 1.0.2p 14 Aug 2018 TLS SNI support enabled configure arguments: --prefix=/usr/local/Cellar/nginx/1.15.6 --sbin-path=/usr/local/Cellar/nginx/1.15.6/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module |
||
Description
the following command failed to reuse the SSL session ID, when nginx is configured like the following.
openssl s_client -connect 127.0.0.1:8443 -no_ticket -servername "two.test.me" -reconnect
corresponding nginx conf:
daemon off;
master_process off;
events {
worker_connections 1024;
}
http {
server {
listen 8443 ssl;
server_name one.test.me;
#ssl_session_cache shared:my_cache:10m;
ssl_certificate ./certs/cert-wild.pem;
ssl_certificate_key ./certs/key-wild.pem;
ssl_session_timeout 5m;
location / {
return 201;
}
}
server {
listen 8443 ssl;
server_name two.test.me;
ssl_session_cache shared:my_cache:10m;
ssl_certificate ./certs/cert-wild.pem;
ssl_certificate_key ./certs/key-wild.pem;
ssl_session_timeout 5m;
location / {
return 202;
}
}
}
the "bug" causing this seems to be in the ngx_http_ssl_servername.
that func didn't update the c->ssl->connection->session_ctx to the right one after we have the SNI info. it still use the "first" ssl session CTX of the first server block.
may be it should be fixed in openssl.
Note:
See TracTickets
for help on using tickets.
Session caching/restoring happens in the context of the default server, before the SNI callback. This is how OpenSSL works, and this is why
c->ssl->connection->session_ctxwas introduced in the first place - to access configuration of the SSL context where sessions are cached. See ticket #235 for details.