Return-Path: X-Original-To: apmail-httpd-bugs-archive@www.apache.org Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 74A4311ECB for ; Sat, 5 Apr 2014 20:03:55 +0000 (UTC) Received: (qmail 53504 invoked by uid 500); 5 Apr 2014 20:03:54 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 53139 invoked by uid 500); 5 Apr 2014 20:03:48 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 53113 invoked by uid 99); 5 Apr 2014 20:03:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Apr 2014 20:03:44 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 05 Apr 2014 20:03:41 +0000 Received: by eir.zones.apache.org (Postfix, from userid 80) id CC4841A947; Sat, 5 Apr 2014 20:03:21 +0000 (UTC) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: [Bug 56324] SSL_SESSION_ID should not be blank even if SSL_SESSION_RESUMED is "Initial" Date: Sat, 05 Apr 2014 20:03:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: All X-Bugzilla-Version: 2.4.7 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dclarke@blastwave.org X-Bugzilla-Status: NEW X-Bugzilla-Priority: P4 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: priority bug_severity Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=56324 Dennis Clarke changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 |P4 Severity|major |normal --- Comment #3 from Dennis Clarke --- Solution was found at Red Hat site which states that SSLv3 must be in the SSLProtocol list and the there is no promise to deliver a SSL_SESSION_ID in the TLS protocol spec. Therefore change SSLProtocol config to : SSLProtocol +SSLv3 -TLSv1.1 -TLSv1 -TLSv1.2 This results in the following standard ssl envionment variables with the SSL_SESSION_ID set : SERVER_SOFTWARE: Apache/2.4.9 (Unix) PHP/5.4.26 OpenSSL/1.0.1e SSL_CIPHER: DHE-RSA-AES256-SHA SSL_CIPHER_ALGKEYSIZE: 256 SSL_CIPHER_EXPORT: false SSL_CIPHER_USEKEYSIZE: 256 SSL_CLIENT_VERIFY: NONE SSL_COMPRESS_METHOD: NULL SSL_PROTOCOL: SSLv3 SSL_SECURE_RENEG: true SSL_SERVER_A_KEY: rsaEncryption SSL_SERVER_A_SIG: sha1WithRSAEncryption SSL_SESSION_ID: 0d1e27e44864fba71d718fb6ef2b71971b8fd4468f9641d59c1dd36ad2761a24 SSL_SESSION_RESUMED: Initial SSL_VERSION_INTERFACE: mod_ssl/2.4.9 SSL_VERSION_LIBRARY: OpenSSL/1.0.1e The docs at the Red Hat site state : A generic web browser sends "Client Hello" message with "SessionTicket TLS" extension of data length=0 during TLS handshake. If "SessionTicket TLS"(data length=0) is presented by the client, the server will handle a session ticket instead of a session id. Therefore, the server does not generate a session id. On the second access, it sends "Client Hello" with a session ticket which was received in the first access, and the server validate it and, if it is valid, generates a session id. This behavior is defined by RFC5077 and the reason why a session id does not appear at a first access and appears at a second access. This is an unavoidable limitation as long as TLSv1 is used and the client implementation uses the "SessionTicket TLS" extension, however, when configuring the client to use SSLv3 instead of TLSv1, a session id always appears, because SSLv3 has no such extension. Please consider using SSLv3 if possible. I can confirm that the same "limitation" exists with TLS v1.1 and v1.2. Dennis ps: reduced bug report to P4 normal -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org