Various debugging info not shown (
Alex
alex at zeitgeist.se
Sun Oct 27 15:04:57 UTC 2013
Hi Maxim,
Good question. I have been debugging a SSL configuration for some time,
and one of the things I've been testing for is the renewal of session
tickets. I used a thin client for that purpose:
https://github.com/grooverdan/rfc5077
Anyhow, according to the test, session renewal appears to work as intended:
./gnutls-client -r -d 10 mysite 443
[✔] Parse arguments.
[✔] Initialize GNU TLS library.
[✔] Solve mysite:443:
│ Will connect to myip
[✔] Initialize TLS session.
[✔] Enable use of session tickets (RFC 5077).
[✔] Connect to mysite:443.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
│ SSL session was not used
[✔] Get current session:
│ Session context:
│ Protocol : TLS1.2
│ Cipher : AES-256-CBC
│ Kx : DHE-RSA
│ Compression : NULL
│ PSK : (null)
│ ID : D18B216F82B277FCA97B95E35E91A323F922873483FD02FB025FE94106CB50C3
[✔] Send HTTP GET.
[✔] Get HTTP answer:
│ HTTP/1.1 301 Moved Permanently
[✔] End TLS connection.
[✔] waiting 10 seconds.
[✔] Initialize TLS session.
[✔] Enable use of session tickets (RFC 5077).
[✔] Copy old session.
[✔] Connect to mysite:443.
[✔] Start TLS renegotiation.
[✔] Check if session was reused:
│ SSL session correctly reused
[✔] Get current session:
│ Session context:
│ Protocol : TLS1.2
│ Cipher : AES-256-CBC
│ Kx : DHE-RSA
│ Compression : NULL
│ PSK : (null)
│ ID : D18B216F82B277FCA97B95E35E91A323F922873483FD02FB025FE94106CB50C3
[✔] Send HTTP GET.
[✔] Get HTTP answer:
│ HTTP/1.1 301 Moved Permanently
[✔] End TLS connection.
So I thought when I enable full debugging, I'd see the relevant debug
information in the error log, such as ssl new session / ssl get session
from ngx_event_openssl.c - of which nothing is shown however.
FWIW, the reason why I am actually trying to debug this is because for
some reason, when I choose a larger delay between the two test
renegotiation, instead of 10s, let's say 3600s, then the previous
session would not get reused - despite the fact that in my nginx site
config, I set a very large session timeout (1680m).
Cheers,
Alex
More information about the nginx
mailing list