Various debugging info not shown (

Alex alex at zeitgeist.se
Sun Oct 27 15:04:57 UTC 2013


Hi Maxim,

Good question. I have been debugging a SSL configuration for some time, 
and one of the things I've been testing for is the renewal of session 
tickets. I used a thin client for that purpose: 
https://github.com/grooverdan/rfc5077

Anyhow, according to the test, session renewal appears to work as intended:

./gnutls-client -r -d 10 mysite 443

[✔] Parse arguments.
[✔] Initialize GNU TLS library.
[✔] Solve mysite:443:
     │ Will connect to myip
[✔] Initialize TLS session.
[✔] Enable use of session tickets (RFC 5077).
[✔] Connect to mysite:443.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
     │ SSL session was not used
[✔] Get current session:
     │ Session context:
     │ Protocol : TLS1.2
     │ Cipher : AES-256-CBC
     │ Kx : DHE-RSA
     │ Compression : NULL
     │ PSK : (null)
     │ ID : D18B216F82B277FCA97B95E35E91A323F922873483FD02FB025FE94106CB50C3
[✔] Send HTTP GET.
[✔] Get HTTP answer:
     │ HTTP/1.1 301 Moved Permanently
[✔] End TLS connection.
[✔] waiting 10 seconds.
[✔] Initialize TLS session.
[✔] Enable use of session tickets (RFC 5077).
[✔] Copy old session.
[✔] Connect to mysite:443.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
     │ SSL session correctly reused
[✔] Get current session:
     │ Session context:
     │ Protocol : TLS1.2
     │ Cipher : AES-256-CBC
     │ Kx : DHE-RSA
     │ Compression : NULL
     │ PSK : (null)
     │ ID : D18B216F82B277FCA97B95E35E91A323F922873483FD02FB025FE94106CB50C3
[✔] Send HTTP GET.
[✔] Get HTTP answer:
     │ HTTP/1.1 301 Moved Permanently
[✔] End TLS connection.

So I thought when I enable full debugging, I'd see the relevant debug 
information in the error log, such as ssl new session / ssl get session 
from ngx_event_openssl.c - of which nothing is shown however.

FWIW, the reason why I am actually trying to debug this is because for 
some reason, when I choose a larger delay between the two test 
renegotiation, instead of 10s, let's say 3600s, then the previous 
session would not get reused - despite the fact that in my nginx site 
config, I set a very large session timeout (1680m).

Cheers,
Alex



More information about the nginx mailing list