'Re: [users@httpd] SSL Session Id lost?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    Re: [users@httpd] SSL Session Id lost?
From:       Alex Soto <asotobu () gmail ! com>
Date:       2015-07-24 10:53:42
Message-ID: CAGV8jqgxJ-9g1UcGN0dt-CRVbDrRqxbf5nFXMiRgzcL0CgQQ3Q () mail ! gmail ! com
[Download RAW message or body]

Ok finally it was the combination of the flag you mention with other flags.
Now everything works, thank you so much.

Alex.

El dv., 24 jul. 2015 a les 9:51, Alex Soto (<asotobu@gmail.com>) va
escriure:

> Hi I have tried to put SSLSessionTickets off to httpd.conf and
> httpd-ssl.conf but the result is still the same.
>
> Regards,
> Alex.
>
> El dj., 23 jul. 2015 a les 23:03, Yann Ylavic (<ylavic.dev@gmail.com>) va
> escriure:
>
>> On Thu, Jul 23, 2015 at 3:50 PM, Alex Soto <asotobu@gmail.com> wrote:
>> >
>> > It seems that everything is configured correctly since sometimes works.
>> Have
>> > you ever found something similar or knows what it can be happening? Do
>> you
>> > think that maybe the problem is on client (browser) side?
>> >
>> > We say that there is something in Apache Httpd since I have modified
>> what
>> > was printed in access_log file to print the ssl session id as second
>> > parameter. And I get next:
>> >
>> > (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
>> >
>> > HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET
>> /hello/hello
>> > HTTP/1.1" 200 89
>>
>> This is because the SSL_SESSION_ID is not always available on the TLS
>> side, when session tickets are used at first.
>>
>> It's up to the client to generate (or not) a session ID, which is only
>> available on the first session resumption.
>>
>> https://tools.ietf.org/html/rfc5077#section-3.4 for the details.
>>
>> You may configure "SSLSessionTickets off" to disable session tickets
>> management in TLS (using session IDs only).
>>
>> Regards,
>> Yann.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>

[Attachment #3 (text/html)]

<div dir="ltr">Ok finally it was the combination of the flag you mention with other \
flags. Now everything works, thank you so \
much.<div><br></div><div>Alex.</div></div><br><div class="gmail_quote"><div \
dir="ltr">El dv., 24 jul. 2015 a les 9:51, Alex Soto (&lt;<a \
href="mailto:asotobu@gmail.com">asotobu@gmail.com</a>&gt;) va \
escriure:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi I have tried to \
put SSLSessionTickets off to httpd.conf and httpd-ssl.conf but the result is still \
the same.<div><br></div><div>Regards,</div><div>Alex.</div></div><br><div \
class="gmail_quote"><div dir="ltr">El dj., 23 jul. 2015 a les 23:03, Yann Ylavic \
(&lt;<a href="mailto:ylavic.dev@gmail.com" \
target="_blank">ylavic.dev@gmail.com</a>&gt;) va escriure:<br></div></div><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Jul 23, 2015 at 3:50 PM, \
Alex Soto &lt;<a href="mailto:asotobu@gmail.com" \
target="_blank">asotobu@gmail.com</a>&gt; wrote:<br> &gt;<br>
&gt; It seems that everything is configured correctly since sometimes works. Have<br>
&gt; you ever found something similar or knows what it can be happening? Do you<br>
&gt; think that maybe the problem is on client (browser) side?<br>
&gt;<br>
&gt; We say that there is something in Apache Httpd since I have modified what<br>
&gt; was printed in access_log file to print the ssl session id as second<br>
&gt; parameter. And I get next:<br>
&gt;<br>
&gt; (LogFormat &quot;%H %{SSL_SESSION_ID}e %h %l %u %t \&quot;%r\&quot; %&gt;s \
%b&quot;)<br> &gt;<br>
&gt; HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] &quot;GET \
/hello/hello<br> &gt; HTTP/1.1&quot; 200 89<br>
<br>
This is because the SSL_SESSION_ID is not always available on the TLS<br>
side, when session tickets are used at first.<br>
<br>
It&#39;s up to the client to generate (or not) a session ID, which is only<br>
available on the first session resumption.<br>
<br>
<a href="https://tools.ietf.org/html/rfc5077#section-3.4" rel="noreferrer" \
target="_blank">https://tools.ietf.org/html/rfc5077#section-3.4</a> for the \
details.<br> <br>
You may configure &quot;SSLSessionTickets off&quot; to disable session tickets<br>
management in TLS (using session IDs only).<br>
<br>
Regards,<br>
Yann.<br>
<br>
---------------------------------------------------------------------<br>
To unsubscribe, e-mail: <a href="mailto:users-unsubscribe@httpd.apache.org" \
target="_blank">users-unsubscribe@httpd.apache.org</a><br> For additional commands, \
e-mail: <a href="mailto:users-help@httpd.apache.org" \
target="_blank">users-help@httpd.apache.org</a><br> <br>
</blockquote></div></blockquote></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic