SSL session resumption. SSL Labs test.
Maxim Dounin
mdounin at mdounin.ru
Mon Nov 22 06:02:01 MSK 2010
Hello!
On Mon, Nov 22, 2010 at 01:24:01AM +0000, António P. P. Almeida wrote:
> On 21 Nov 2010 22h55 WET, me at luitvd.net wrote:
>
> > On Sun, Nov 21, 2010 at 11:43 PM, António P. P. Almeida
> > <appa at perusio.net> wrote:
> >> ...
> >> Isn't this enough? Can someone more knowledgeable than I in SSL/TLS
> >> stuff and Nginx shed some light on this issue? Should I ignore this
> >> result?
> >
> > The case might be that Qualys SSL Labs checks all this against the
> > IP address it resolves from the domain you give them. Apply those
> > SSL settings to the default server to make this all work there.
>
> Ok. I think I get it. The test doesn't use SNI. Hence it checks
> against the default_server for the session resumption test. Since in
> this case this is just a regular HTTP server block with '_' as server
> name it doesn't associate the server where the certficate is installed
> with the session resumption test.
>
> Is that it?
Session establishmen/resumption happens before SNI handling.
Therefore configuring session cache within SNI-only server{} won't
work, you have to configure one in default server for the socket
in question.
This is how it's done in OpenSSL, and it seems to be what actually
required by RFC4366 (http://tools.ietf.org/html/rfc4366#section-3):
- If, on the other hand, the older session is resumed, then the
server MUST ignore the extensions and send a server hello
containing none of the extension types. In this case, the
functionality of these extensions negotiated during the original
session initiation is applied to the resumed session.
One can't resume session stored somewhere in server name related
context while following "MUST ignore" rule.
Maxim Dounin
More information about the nginx
mailing list