nginx-1.12.1 ssl_session_timeout overwritten by default_server

Maxim Dounin mdounin at
Wed Sep 6 13:37:04 UTC 2017


On Wed, Sep 06, 2017 at 12:15:33PM +0200, Chase Sillevis via nginx wrote:

> Today I ran into the case that the value for 
> ssl_session_timeout was overwritten by a different server block 
> (namely, the one with default_server). After asking around in 
> the IRC, it seems that this is more or less expected behaviour 
> (“I suspect as TLS/SSL is done before HTTP protocol”), however, 
> I am left wondering which other variables, besides 
> ssl_session_timeout, I should worry about here.
> And is this indeed expected behaviour?

When using SSL and name-based virtual servers, there are two basic 
cases to consider:

1. Client is not using Server Name Indication (SNI) TLS extension.  
This is rare nowadays, though still happens.  In this case, all 
SSL handshake happens before the client tries to access is even 
known, and all ssl_* settings will be applied from the default 

2. Client is using SNI.  In this case, the name client tries to 
connect to is known in advance, and it is possible to apply some 
of the ssl_* settings from the relevant name-based virtual server.  
Most notably, appropriate SSL certificate will be used.  It is not 
possible to apply all settings though, mostly due to OpenSSL 
limitations.  In particular:

- session resumption happens before SNI callback, and hence all 
  session-related settings will be used from the default server 

- protocol will be fixed by OpenSSL before the SNI extension is 
  parsed, and hence ssl_protocol will be used from the default 

- ssl_ecdh_curve will be used from the default server

Maxim Dounin

More information about the nginx mailing list