Hello!

On Wed, Jan 22, 2014 at 02:02:51PM -0500, mnordhoff wrote:

> I run the nginx.org mainline packages on Ubuntu 12.04, 32- and 64-bit. I use
> a wacky custom log format, and after 1.5.9 was released today, I enabled
> logging the $ssl_session_id variable. I later ran an SSL Labs SSL Server
> Test, [0] which makes numerous HTTPS requests of various sorts, and lo and
> behold, one of my worker processes core dumped. I fooled around with my
> configuration and determined that the problem was logging $ssl_session_id.
> If I don't log it, it's fine. If I enable a log that contains
> $ssl_session_id -- even only $ssl_session_id -- it crashes.

Thanks for the report, the following patch should fix it:

--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2508,6 +2508,10 @@ ngx_ssl_get_session_id(ngx_connection_t
SSL_SESSION *sess;

sess = SSL_get0_session(c->ssl->connection);
+ if (sess == NULL) {
+ s->len = 0;
+ return NGX_OK;
+ }

buf = sess->session_id;
len = sess->session_id_length;


> Normal HTTPS requests -- well, I just tried curl and Firefox -- work fine. I
> notice that curl does log a session ID, but for Firefox that field is just a
> "-". I have no idea if that's an(other) Nginx bug or just a difference
> between the two clients, but it smells funny to me. I briefly enabled

That's normal, session id is expected to be empty, e.g., if session tickets are
used.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx