Set ssl_session_tickets each virtual host is unable?

Maxim Dounin mdounin at mdounin.ru
Fri Jan 13 15:09:24 UTC 2017 

Hello!

On Thu, Jan 12, 2017 at 07:30:23PM -0500, malloc813 wrote:

> Maxim Dounin Wrote:
> -------------------------------------------------------
> > Hello!
> > 
> > On Thu, Jan 12, 2017 at 11:57:58AM -0500, malloc813 wrote:
> > 
> > > Hi, I tested nginx configuration and got one problem.
> > > For example, I made 2 virtual hosts. They are SSL enabled server.
> > > 
> > > http
> > > {
> > > #host1
> > > server
> > > {
> > >     ...
> > >     ssl_sesstion_tickets off;
> > >     ...
> > > }
> > > 
> > > #host2
> > > {
> > >     ...
> > >     ssl_session_tickets on;
> > >     ...
> > > }
> > > 
> > > }
> > > 
> > > Visit host1 after apply this configuration, chrome shows an error
> > > ERR_SSL_PROTOCOL_ERROR
> > 
> > Works fine here.  The ERR_SSL_PROTOCOL_ERROR is likely caused by 
> > other problems in the configuration.  First of all try "nginx -t" 
> > to see if there are obvious errors in your config.
> > 
> 
> I saw similar case like this:
> https://community.letsencrypt.org/t/errors-from-browsers-with-ssl-session-tickets-off-nginx/18124
> I will test this problem with other system.

Thanks, I was able to reproduce this.  It happens in a situration 
reversed compared to the configuration you've proveded: if tickets 
are switchec off in a non-default server, and you try to connect 
to this non-default server.  For example:

    server {
        listen      443 ssl;
        server_name one;
        ssl_session_tickets on;
        ...
    }

    server {
        listen      443 ssl;
        server_name two;
        ssl_session_tickets off;
        ...
    }

It seems that OpenSSL (1.0.2j) tries to honor changed session ticket 
preference, but fails to do this properly: it does not sent 
SessionTicket extension, but still tries to send NewSessionTicket 
handshake message.  This causes problems with some browsers.

As of OpenSSL 1.1.0c it no longer tries to send NewSessionTicket 
handshake mesage in such situation.  (Note thought that session 
tickets still won't work anywhere if disabled in the default 
server.)

> > > Is it impossible to set ssl_session_tickets differently each 
> > virtual host?
> > 
> > No.
> > 
> > Session resumption happens in the context of the default server, 
> > and it is not possible to have different session cache / session 
> > tickets settings in virtual hosts.  In the above configuration 
> > session tickets will be off for both servers (assuming they are 
> > listening on the same ip/port and the first one is the default).
> > 
> 
> That means, if I set ssl_session_cache and ssl_session_timeout both of
> default server and virtual host, nginx dismiss virtual host's configuration
> and use default server's configuration too?

Yes.  Though this is not something nginx does, rather this is how 
session resumption is implemented in OpenSSL.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list