Hi all

I have a project i'm working on which i want to use ssl_session_tickets on, but i can't get it to work. My project is a caching proxy so it's not serving local content. Config (relevant part) is:

listen 443;
ssl on;
ssl_certificate /etc/nginx/current/tls/certs/xxx.crt;
ssl_certificate_key /etc/nginx/current/tls/private/xxx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers !NULL:!SSLv2:!EXP:!MD5:!aNULL:!PSK:!kEDH:!KRB5:!ADH:!DES:!RC4:!CAMELLIA:AES128:HIGH:3DES;
ssl_ecdh_curve prime256v1;
ssl_buffer_size 4k;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:global_ssl_cache:128m;
ssl_stapling off;
ssl_stapling_verify off;
ssl_session_timeout 20m;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/current/tls/session/tkt.key;
ssl_dhparam /etc/nginx/current/tls/private/dh.param;
keepalive_timeout 300;

I log the $ssl_session_reused variable in my access logs and with the above, i always see a "." (session not reused).

I'm on nginx 1.9.10, compiled from source with opensll 1.0.2e on centos 7 on AWS.

Does anyone know why session reuse isnt working? My main thoughts are, could it be due to:

* the requests being proxied, not locally served files
* perhaps my choice of ciphers is an issue

Does anyone have any suggestions? i have a test instance so i can try literally anything.

Thanks in advance!
Neil

Forgot to post:

nginx -V
nginx version: nginx/1.9.9
built with OpenSSL 1.0.2e 3 Dec 2015
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/current/nginx.conf --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/default-error.log --http-log-path=/var/log/nginx/default-access.log --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=gtmdaemon --group=gtmdaemon --with-http_realip_module --with-http_v2_module --with-http_ssl_module --with-http_geoip_module --with-http_image_filter_module --with-pcre-jit --with-ipv6 --with-file-aio --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' --add-module=/tmp/tmpSFdHHg/BUILD/nginx-1.9.9/headers-more-nginx-module --add-module=/tmp/tmpSFdHHg/BUILD/nginx-1.9.9/naxsi/naxsi_src --add-module=/tmp/tmpSFdHHg/BUILD/nginx-1.9.9/nginx-module-vts --add-module=/tmp/tmpSFdHHg/BUILD/nginx-1.9.9/nginx_upstream_check_module --with-openssl=/tmp/tmpSFdHHg/BUILD/nginx-1.9.9/openssl-1.0.2e

and it's nginx 1.9.9, not 1.9.10 - i havent depoyed a new build yet

OK, after more experimentation, i figured it out...SSL/TLS session tickets do not work when a listener is HTTP2 enabled, or at least the logging of session reuse is broken.

Can anyone else confirm please?

Update (in case anyone has interest): TLS session tickets work for simple configurations over H2 but in my use case (which has several scopes and includes/inheritance) it doesn't. I am working on a reproducible test case i can pass on in a bug report. I'll post the bug link here when i raise it.