httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 49277] Expose a variable to identify SSL Session renegotiated
Date Wed, 26 Mar 2014 22:05:05 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49277

Dennis Clarke <dclarke@blastwave.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P2                          |P3
           Hardware|All                         |Sun
                 OS|All                         |Solaris
           Severity|enhancement                 |normal

--- Comment #1 from Dennis Clarke <dclarke@blastwave.org> ---

I can confirm that with the latest rev of Apache and OpenSSL that the 
SSL_SESSION_ID data is blank on the initial connection where
SSL_SESSION_RESUMED
is equal to "Initial".

Thus : 

SERVER_SOFTWARE: Apache/2.4.9 (Unix) PHP/5.4.26 OpenSSL/1.0.1e

SSL_SESSION_ID:
SSL_SESSION_RESUMED: Initial
SSL_VERSION_INTERFACE: mod_ssl/2.4.4
SSL_VERSION_LIBRARY: OpenSSL/1.0.1e

This seems blatently wrong that the SESSION ID is blank given that section 7 (
page 26 ) of RFC 5246 states : 

 The Handshake Protocol is responsible for negotiating a session,
   which consists of the following items:

   session identifier
      An arbitrary byte sequence chosen by the server to identify an
      active or resumable session state.


One would think that with TLS1.2 that the handshake process is complete in 
order to receive a page of data in a modern browser via https and therefore
the SSL_SESSION_ID is not blank.

Other reasonable SSL environment variables are complete and look correct 
thus : 

SSL_CIPHER: DHE-RSA-AES256-SHA
SSL_CIPHER_ALGKEYSIZE: 256
SSL_CIPHER_EXPORT: false
SSL_CIPHER_USEKEYSIZE: 256
SSL_CLIENT_VERIFY: NONE
SSL_COMPRESS_METHOD: NULL
SSL_PROTOCOL: TLSv1.2
SSL_SECURE_RENEG: true
SSL_SERVER_A_KEY: rsaEncryption
SSL_SERVER_A_SIG: sha1WithRSAEncryption
SSL_SERVER_I_DN: CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use
at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\,
Inc.,C=US
SSL_SERVER_I_DN_C: US
SSL_SERVER_I_DN_CN: VeriSign Class 3 Extended Validation SSL CA
SSL_SERVER_I_DN_O: VeriSign, Inc.
SSL_SERVER_I_DN_OU: VeriSign Trust Network

etc etc. 

Seems wrong that SSL_SESSION_ID is blank.

Dennis

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message