Summary: | Expose a variable to identify SSL Session renegotiated | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Klaubert <klaubert> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | NEW --- | ||
Severity: | normal | CC: | klaubert |
Priority: | P3 | ||
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | Sun | ||
OS: | Solaris |
Description
Klaubert
2010-05-12 09:54:13 UTC
I can confirm that with the latest rev of Apache and OpenSSL that the SSL_SESSION_ID data is blank on the initial connection where SSL_SESSION_RESUMED is equal to "Initial". Thus : SERVER_SOFTWARE: Apache/2.4.9 (Unix) PHP/5.4.26 OpenSSL/1.0.1e SSL_SESSION_ID: SSL_SESSION_RESUMED: Initial SSL_VERSION_INTERFACE: mod_ssl/2.4.4 SSL_VERSION_LIBRARY: OpenSSL/1.0.1e This seems blatently wrong that the SESSION ID is blank given that section 7 ( page 26 ) of RFC 5246 states : The Handshake Protocol is responsible for negotiating a session, which consists of the following items: session identifier An arbitrary byte sequence chosen by the server to identify an active or resumable session state. One would think that with TLS1.2 that the handshake process is complete in order to receive a page of data in a modern browser via https and therefore the SSL_SESSION_ID is not blank. Other reasonable SSL environment variables are complete and look correct thus : SSL_CIPHER: DHE-RSA-AES256-SHA SSL_CIPHER_ALGKEYSIZE: 256 SSL_CIPHER_EXPORT: false SSL_CIPHER_USEKEYSIZE: 256 SSL_CLIENT_VERIFY: NONE SSL_COMPRESS_METHOD: NULL SSL_PROTOCOL: TLSv1.2 SSL_SECURE_RENEG: true SSL_SERVER_A_KEY: rsaEncryption SSL_SERVER_A_SIG: sha1WithRSAEncryption SSL_SERVER_I_DN: CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US SSL_SERVER_I_DN_C: US SSL_SERVER_I_DN_CN: VeriSign Class 3 Extended Validation SSL CA SSL_SERVER_I_DN_O: VeriSign, Inc. SSL_SERVER_I_DN_OU: VeriSign Trust Network etc etc. Seems wrong that SSL_SESSION_ID is blank. Dennis |