nginx-1.12.1 ssl_session_timeout overwritten by default_server

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

nginx-1.12.1 ssl_session_timeout overwritten by default_server

nginx mailing list

Hi Nginx,


Today I ran into the case that the value for ssl_session_timeout was overwritten by a different server block (namely, the one with default_server). After asking around in the IRC, it seems that this is more or less expected behaviour (“I suspect as TLS/SSL is done before HTTP protocol”), however, I am left wondering which other variables, besides ssl_session_timeout, I should worry about here.


And is this indeed expected behaviour?


Thanks in advance.


Kind regards,

Chase Sillevis


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: nginx-1.12.1 ssl_session_timeout overwritten by default_server

Maxim Dounin
Hello!

On Wed, Sep 06, 2017 at 12:15:33PM +0200, Chase Sillevis via nginx wrote:

> Today I ran into the case that the value for
> ssl_session_timeout was overwritten by a different server block
> (namely, the one with default_server). After asking around in
> the IRC, it seems that this is more or less expected behaviour
> (“I suspect as TLS/SSL is done before HTTP protocol”), however,
> I am left wondering which other variables, besides
> ssl_session_timeout, I should worry about here.
>
> And is this indeed expected behaviour?

When using SSL and name-based virtual servers, there are two basic
cases to consider:

1. Client is not using Server Name Indication (SNI) TLS extension.  
This is rare nowadays, though still happens.  In this case, all
SSL handshake happens before the client tries to access is even
known, and all ssl_* settings will be applied from the default
server.

2. Client is using SNI.  In this case, the name client tries to
connect to is known in advance, and it is possible to apply some
of the ssl_* settings from the relevant name-based virtual server.  
Most notably, appropriate SSL certificate will be used.  It is not
possible to apply all settings though, mostly due to OpenSSL
limitations.  In particular:

- session resumption happens before SNI callback, and hence all
  session-related settings will be used from the default server
  (ssl_session_*);

- protocol will be fixed by OpenSSL before the SNI extension is
  parsed, and hence ssl_protocol will be used from the default
  server;

- ssl_ecdh_curve will be used from the default server
  (https://trac.nginx.org/nginx/ticket/1089).

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx