Welcome! Log In Create A New Profile

Re: Set ssl_session_tickets each virtual host is unable?

Forum List Message List New Topic Print View

Maxim Dounin

January 13, 2017 10:10AM

Hello!

On Thu, Jan 12, 2017 at 07:30:23PM -0500, malloc813 wrote:

> Maxim Dounin Wrote:
> -------------------------------------------------------
> > Hello!
> >
> > On Thu, Jan 12, 2017 at 11:57:58AM -0500, malloc813 wrote:
> >
> > > Hi, I tested nginx configuration and got one problem.
> > > For example, I made 2 virtual hosts. They are SSL enabled server.
> > >
> > > http
> > > {
> > > #host1
> > > server
> > > {
> > > ...
> > > ssl_sesstion_tickets off;
> > > ...
> > > }
> > >
> > > #host2
> > > {
> > > ...
> > > ssl_session_tickets on;
> > > ...
> > > }
> > >
> > > }
> > >
> > > Visit host1 after apply this configuration, chrome shows an error
> > > ERR_SSL_PROTOCOL_ERROR
> >
> > Works fine here. The ERR_SSL_PROTOCOL_ERROR is likely caused by
> > other problems in the configuration. First of all try "nginx -t"
> > to see if there are obvious errors in your config.
> >
>
> I saw similar case like this:
> https://community.letsencrypt.org/t/errors-from-browsers-with-ssl-session-tickets-off-nginx/18124
> I will test this problem with other system.

Thanks, I was able to reproduce this. It happens in a situration
reversed compared to the configuration you've proveded: if tickets
are switchec off in a non-default server, and you try to connect
to this non-default server. For example:

server {
listen 443 ssl;
server_name one;
ssl_session_tickets on;
...
}

server {
listen 443 ssl;
server_name two;
ssl_session_tickets off;
...
}

It seems that OpenSSL (1.0.2j) tries to honor changed session ticket
preference, but fails to do this properly: it does not sent
SessionTicket extension, but still tries to send NewSessionTicket
handshake message. This causes problems with some browsers.

As of OpenSSL 1.1.0c it no longer tries to send NewSessionTicket
handshake mesage in such situation. (Note thought that session
tickets still won't work anywhere if disabled in the default
server.)

> > > Is it impossible to set ssl_session_tickets differently each
> > virtual host?
> >
> > No.
> >
> > Session resumption happens in the context of the default server,
> > and it is not possible to have different session cache / session
> > tickets settings in virtual hosts. In the above configuration
> > session tickets will be off for both servers (assuming they are
> > listening on the same ip/port and the first one is the default).
> >
>
> That means, if I set ssl_session_cache and ssl_session_timeout both of
> default server and virtual host, nginx dismiss virtual host's configuration
> and use default server's configuration too?

Yes. Though this is not something nginx does, rather this is how
session resumption is implemented in OpenSSL.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Set ssl_session_tickets each virtual host is unable?	malloc813	January 12, 2017 11:57AM
Re: Set ssl_session_tickets each virtual host is unable?	Maxim Dounin	January 12, 2017 02:22PM
Re: Set ssl_session_tickets each virtual host is unable?	malloc813	January 12, 2017 07:30PM
Re: Set ssl_session_tickets each virtual host is unable?	Maxim Dounin	January 13, 2017 10:10AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 258

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018