[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: Re: [users@httpd] SSL Session Id lost?
From: Alex Soto <asotobu () gmail ! com>
Date: 2015-07-24 10:53:42
Message-ID: CAGV8jqgxJ-9g1UcGN0dt-CRVbDrRqxbf5nFXMiRgzcL0CgQQ3Q () mail ! gmail ! com
[Download RAW message or body]
Ok finally it was the combination of the flag you mention with other flags.
Now everything works, thank you so much.
Alex.
El dv., 24 jul. 2015 a les 9:51, Alex Soto (<asotobu@gmail.com>) va
escriure:
> Hi I have tried to put SSLSessionTickets off to httpd.conf and
> httpd-ssl.conf but the result is still the same.
>
> Regards,
> Alex.
>
> El dj., 23 jul. 2015 a les 23:03, Yann Ylavic (<ylavic.dev@gmail.com>) va
> escriure:
>
>> On Thu, Jul 23, 2015 at 3:50 PM, Alex Soto <asotobu@gmail.com> wrote:
>> >
>> > It seems that everything is configured correctly since sometimes works.
>> Have
>> > you ever found something similar or knows what it can be happening? Do
>> you
>> > think that maybe the problem is on client (browser) side?
>> >
>> > We say that there is something in Apache Httpd since I have modified
>> what
>> > was printed in access_log file to print the ssl session id as second
>> > parameter. And I get next:
>> >
>> > (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
>> >
>> > HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET
>> /hello/hello
>> > HTTP/1.1" 200 89
>>
>> This is because the SSL_SESSION_ID is not always available on the TLS
>> side, when session tickets are used at first.
>>
>> It's up to the client to generate (or not) a session ID, which is only
>> available on the first session resumption.
>>
>> https://tools.ietf.org/html/rfc5077#section-3.4 for the details.
>>
>> You may configure "SSLSessionTickets off" to disable session tickets
>> management in TLS (using session IDs only).
>>
>> Regards,
>> Yann.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
[Attachment #3 (text/html)]
<div dir="ltr">Ok finally it was the combination of the flag you mention with other \
flags. Now everything works, thank you so \
much.<div><br></div><div>Alex.</div></div><br><div class="gmail_quote"><div \
dir="ltr">El dv., 24 jul. 2015 a les 9:51, Alex Soto (<<a \
href="mailto:asotobu@gmail.com">asotobu@gmail.com</a>>) va \
escriure:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi I have tried to \
put SSLSessionTickets off to httpd.conf and httpd-ssl.conf but the result is still \
the same.<div><br></div><div>Regards,</div><div>Alex.</div></div><br><div \
class="gmail_quote"><div dir="ltr">El dj., 23 jul. 2015 a les 23:03, Yann Ylavic \
(<<a href="mailto:ylavic.dev@gmail.com" \
target="_blank">ylavic.dev@gmail.com</a>>) va escriure:<br></div></div><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Jul 23, 2015 at 3:50 PM, \
Alex Soto <<a href="mailto:asotobu@gmail.com" \
target="_blank">asotobu@gmail.com</a>> wrote:<br> ><br>
> It seems that everything is configured correctly since sometimes works. Have<br>
> you ever found something similar or knows what it can be happening? Do you<br>
> think that maybe the problem is on client (browser) side?<br>
><br>
> We say that there is something in Apache Httpd since I have modified what<br>
> was printed in access_log file to print the ssl session id as second<br>
> parameter. And I get next:<br>
><br>
> (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s \
%b")<br> ><br>
> HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET \
/hello/hello<br> > HTTP/1.1" 200 89<br>
<br>
This is because the SSL_SESSION_ID is not always available on the TLS<br>
side, when session tickets are used at first.<br>
<br>
It's up to the client to generate (or not) a session ID, which is only<br>
available on the first session resumption.<br>
<br>
<a href="https://tools.ietf.org/html/rfc5077#section-3.4" rel="noreferrer" \
target="_blank">https://tools.ietf.org/html/rfc5077#section-3.4</a> for the \
details.<br> <br>
You may configure "SSLSessionTickets off" to disable session tickets<br>
management in TLS (using session IDs only).<br>
<br>
Regards,<br>
Yann.<br>
<br>
---------------------------------------------------------------------<br>
To unsubscribe, e-mail: <a href="mailto:users-unsubscribe@httpd.apache.org" \
target="_blank">users-unsubscribe@httpd.apache.org</a><br> For additional commands, \
e-mail: <a href="mailto:users-help@httpd.apache.org" \
target="_blank">users-help@httpd.apache.org</a><br> <br>
</blockquote></div></blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic