Nginx + lua-nginx, get ssl_session_id

Yichun Zhang (agentzh) agentzh at
Wed Nov 26 20:29:15 UTC 2014


On Wed, Nov 26, 2014 at 8:29 AM, VladimirSmirnov wrote:
> For testing purposes I'm using self-signed ssl cert.
> ngx.log(ngx.DEBUG, "session_id=", ngx.var.ssl_session_id) prints "nil" in
> the logs. How can I get access to this variable?

It's very likely that your client sends TLS session tickets (in
addition to session IDs) and server-side OpenSSL prefers the former
(and ignores the latter, if any). I can reproduce the nil value when
my SSL client sends the TLS session tickets.

One quick way for testing non-empty $ssl_session_id values is to
*temporarily* make your nginx https server support the SSLv3 protocol
*only* (so as to disable TLS session tickets at all). This can be
achieved by adding the following line to your corresponding server {}

    ssl_protocols SSLv3;

And then your example produces the expected debugging log message like this:

    [debug] 4662#0: *3 [lua] access_by_lua(nginx.conf:36):2:

Well, this is just a hacky way to quickly test this thing. Do not use
SSLv3 exclusively in production! TLS session tickets are way more
effective (and cheaper) than SSL session IDs (if available).

BTW, for such ngx_lua questions, please post to the openresty-en
mailing list in the future instead. See for details. That way you may get
responses faster and get more responses than posting here.

Best regards,

More information about the nginx mailing list