Return-Path: 
 <bugs-return-44144-apmail-httpd-bugs-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-bugs-archive@www.apache.org
Delivered-To: apmail-httpd-bugs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id F0BD4101B2
	for <apmail-httpd-bugs-archive@www.apache.org>;
 Wed, 26 Mar 2014 22:05:33 +0000 (UTC)
Received: (qmail 46301 invoked by uid 500); 26 Mar 2014 22:05:31 -0000
Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org
Received: (qmail 46117 invoked by uid 500); 26 Mar 2014 22:05:30 -0000
Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:bugs@httpd.apache.org>
List-Help: <mailto:bugs-help@httpd.apache.org>
List-Unsubscribe: <mailto:bugs-unsubscribe@httpd.apache.org>
Reply-To: "Apache HTTPD Bugs Notification List" <bugs@httpd.apache.org>
List-Id: <bugs.httpd.apache.org>
Delivered-To: mailing list bugs@httpd.apache.org
Received: (qmail 45895 invoked by uid 99); 26 Mar 2014 22:05:30 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Mar 2014 22:05:30 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Mar 2014 22:05:26 +0000
Received: by eir.zones.apache.org (Postfix, from userid 80)
	id 4C0801A7A7; Wed, 26 Mar 2014 22:05:05 +0000 (UTC)
From: bugzilla@apache.org
To: bugs@httpd.apache.org
Subject: [Bug 49277] Expose a variable to identify SSL Session renegotiated
Date: Wed, 26 Mar 2014 22:05:05 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Apache httpd-2
X-Bugzilla-Component: mod_ssl
X-Bugzilla-Version: 2.5-HEAD
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: dclarke@blastwave.org
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: bugs@httpd.apache.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: priority rep_platform op_sys bug_severity
Message-ID: <bug-49277-7868-P4VDnBjfll@https.issues.apache.org/bugzilla/>
In-Reply-To: <bug-49277-7868@https.issues.apache.org/bugzilla/>
References: <bug-49277-7868@https.issues.apache.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://issues.apache.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org

https://issues.apache.org/bugzilla/show_bug.cgi?id=49277

Dennis Clarke <dclarke@blastwave.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P2                          |P3
           Hardware|All                         |Sun
                 OS|All                         |Solaris
           Severity|enhancement                 |normal

--- Comment #1 from Dennis Clarke <dclarke@blastwave.org> ---

I can confirm that with the latest rev of Apache and OpenSSL that the 
SSL_SESSION_ID data is blank on the initial connection where
SSL_SESSION_RESUMED
is equal to "Initial".

Thus : 

SERVER_SOFTWARE: Apache/2.4.9 (Unix) PHP/5.4.26 OpenSSL/1.0.1e

SSL_SESSION_ID:
SSL_SESSION_RESUMED: Initial
SSL_VERSION_INTERFACE: mod_ssl/2.4.4
SSL_VERSION_LIBRARY: OpenSSL/1.0.1e

This seems blatently wrong that the SESSION ID is blank given that section 7 (
page 26 ) of RFC 5246 states : 

 The Handshake Protocol is responsible for negotiating a session,
   which consists of the following items:

   session identifier
      An arbitrary byte sequence chosen by the server to identify an
      active or resumable session state.


One would think that with TLS1.2 that the handshake process is complete in 
order to receive a page of data in a modern browser via https and therefore
the SSL_SESSION_ID is not blank.

Other reasonable SSL environment variables are complete and look correct 
thus : 

SSL_CIPHER: DHE-RSA-AES256-SHA
SSL_CIPHER_ALGKEYSIZE: 256
SSL_CIPHER_EXPORT: false
SSL_CIPHER_USEKEYSIZE: 256
SSL_CLIENT_VERIFY: NONE
SSL_COMPRESS_METHOD: NULL
SSL_PROTOCOL: TLSv1.2
SSL_SECURE_RENEG: true
SSL_SERVER_A_KEY: rsaEncryption
SSL_SERVER_A_SIG: sha1WithRSAEncryption
SSL_SERVER_I_DN: CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use
at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\,
Inc.,C=US
SSL_SERVER_I_DN_C: US
SSL_SERVER_I_DN_CN: VeriSign Class 3 Extended Validation SSL CA
SSL_SERVER_I_DN_O: VeriSign, Inc.
SSL_SERVER_I_DN_OU: VeriSign Trust Network

etc etc. 

Seems wrong that SSL_SESSION_ID is blank.

Dennis

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org