Logging $ssl_session_id can crash Nginx 1.5.9 worker

Maxim Dounin mdounin at mdounin.ru
Wed Jan 22 21:34:51 UTC 2014


On Wed, Jan 22, 2014 at 02:02:51PM -0500, mnordhoff wrote:

> I run the nginx.org mainline packages on Ubuntu 12.04, 32- and 64-bit. I use
> a wacky custom log format, and after 1.5.9 was released today, I enabled
> logging the $ssl_session_id variable. I later ran an SSL Labs SSL Server
> Test, [0] which makes numerous HTTPS requests of various sorts, and lo and
> behold, one of my worker processes core dumped. I fooled around with my
> configuration and determined that the problem was logging $ssl_session_id.
> If I don't log it, it's fine. If I enable a log that contains
> $ssl_session_id -- even only $ssl_session_id -- it crashes.

Thanks for the report, the following patch should fix it:

--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2508,6 +2508,10 @@ ngx_ssl_get_session_id(ngx_connection_t 
     SSL_SESSION  *sess;
     sess = SSL_get0_session(c->ssl->connection);
+    if (sess == NULL) {
+        s->len = 0;
+        return NGX_OK;
+    }
     buf = sess->session_id;
     len = sess->session_id_length;

> Normal HTTPS requests -- well, I just tried curl and Firefox -- work fine. I
> notice that curl does log a session ID, but for Firefox that field is just a
> "-". I have no idea if that's an(other) Nginx bug or just a difference
> between the two clients, but it smells funny to me. I briefly enabled

That's normal, session id is expected to be empty, e.g., if session tickets are

Maxim Dounin

More information about the nginx mailing list