Nginx + lua-nginx, get ssl_session_id

Yichun Zhang (agentzh) agentzh at gmail.com
Wed Nov 26 20:29:15 UTC 2014


Hello!

On Wed, Nov 26, 2014 at 8:29 AM, VladimirSmirnov wrote:
> For testing purposes I'm using self-signed ssl cert.
>
> ngx.log(ngx.DEBUG, "session_id=", ngx.var.ssl_session_id) prints "nil" in
> the logs. How can I get access to this variable?
>

It's very likely that your client sends TLS session tickets (in
addition to session IDs) and server-side OpenSSL prefers the former
(and ignores the latter, if any). I can reproduce the nil value when
my SSL client sends the TLS session tickets.

One quick way for testing non-empty $ssl_session_id values is to
*temporarily* make your nginx https server support the SSLv3 protocol
*only* (so as to disable TLS session tickets at all). This can be
achieved by adding the following line to your corresponding server {}
block:

    ssl_protocols SSLv3;

And then your example produces the expected debugging log message like this:

    [debug] 4662#0: *3 [lua] access_by_lua(nginx.conf:36):2:
session_id=c292f1d3fbb0d3c2353d04bacf02e8e86bf0920bbd86ea84c61a2619b86d99db

Well, this is just a hacky way to quickly test this thing. Do not use
SSLv3 exclusively in production! TLS session tickets are way more
effective (and cheaper) than SSL session IDs (if available).

BTW, for such ngx_lua questions, please post to the openresty-en
mailing list in the future instead. See
http://openresty.org/#Community for details. That way you may get
responses faster and get more responses than posting here.

Best regards,
-agentzh



More information about the nginx mailing list