Various debugging info not shown (

Hi,

I am trying to debug handshakes and ticket reuse. Lot’s of debugging
information is shown in my error_log, but some info is skipped.
Specifically, info from: /src/event/ngx_event_openssl.c. For example,

ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
“ssl new session: %08XD:%d:%d”,
hash, sess->session_id_length, len);

ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
“ssl get session: %08XD:%d”, hash, len);

Don’t seem to be executed - i.e. neither is shown in my logs. On the
other hand

if (SSL_session_reused(c->ssl->connection)) {
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
“SSL reused session”);
}

get’s executed, i.e. “SSL reused session” is shown in the logs.

Any ideas?

Thanks


My setup:

nginx 1.5.6, with --with-debug compiled

in nginx.conf, events { debug_connection: }

site uses SSL, with ssl_session_cache shared:SSL:10m; and
ssl_session_timeout 1680m; SSL configuration is working fine.

Hello!

On Sun, Oct 27, 2013 at 10:30:53AM +0100, Alex wrote:

Any ideas?
What makes you think that “info is skipped”, rather than assuming
the relevant code isn’t executed for some reason?


Maxim D.
http://nginx.org/en/donation.html

Hi Maxim,

Good question. I have been debugging a SSL configuration for some time,
and one of the things I’ve been testing for is the renewal of session
tickets. I used a thin client for that purpose:
https://github.com/grooverdan/rfc5077

Anyhow, according to the test, session renewal appears to work as
intended:

./gnutls-client -r -d 10 mysite 443

[:heavy_check_mark:] Parse arguments.
[:heavy_check_mark:] Initialize GNU TLS library.
[:heavy_check_mark:] Solve mysite:443:
│ Will connect to myip
[:heavy_check_mark:] Initialize TLS session.
[:heavy_check_mark:] Enable use of session tickets (RFC 5077).
[:heavy_check_mark:] Connect to mysite:443.
[:heavy_check_mark:] Start TLS renegotiation.
[:heavy_check_mark:] Check if session was reused:
│ SSL session was not used
[:heavy_check_mark:] Get current session:
│ Session context:
│ Protocol : TLS1.2
│ Cipher : AES-256-CBC
│ Kx : DHE-RSA
│ Compression : NULL
│ PSK : (null)
│ ID :
D18B216F82B277FCA97B95E35E91A323F922873483FD02FB025FE94106CB50C3
[:heavy_check_mark:] Send HTTP GET.
[:heavy_check_mark:] Get HTTP answer:
│ HTTP/1.1 301 Moved Permanently
[:heavy_check_mark:] End TLS connection.
[:heavy_check_mark:] waiting 10 seconds.
[:heavy_check_mark:] Initialize TLS session.
[:heavy_check_mark:] Enable use of session tickets (RFC 5077).
[:heavy_check_mark:] Copy old session.
[:heavy_check_mark:] Connect to mysite:443.
[:heavy_check_mark:] Start TLS renegotiation.
[:heavy_check_mark:] Check if session was reused:
│ SSL session correctly reused
[:heavy_check_mark:] Get current session:
│ Session context:
│ Protocol : TLS1.2
│ Cipher : AES-256-CBC
│ Kx : DHE-RSA
│ Compression : NULL
│ PSK : (null)
│ ID :
D18B216F82B277FCA97B95E35E91A323F922873483FD02FB025FE94106CB50C3
[:heavy_check_mark:] Send HTTP GET.
[:heavy_check_mark:] Get HTTP answer:
│ HTTP/1.1 301 Moved Permanently
[:heavy_check_mark:] End TLS connection.

So I thought when I enable full debugging, I’d see the relevant debug
information in the error log, such as ssl new session / ssl get session
from ngx_event_openssl.c - of which nothing is shown however.

FWIW, the reason why I am actually trying to debug this is because for
some reason, when I choose a larger delay between the two test
renegotiation, instead of 10s, let’s say 3600s, then the previous
session would not get reused - despite the fact that in my nginx site
config, I set a very large session timeout (1680m).

Cheers,
Alex

Hi,

Any ideas?

Your client is using TLS Session Tickets (client-side caching), so
nginx-side cache isn’t used for that sessions.

Best regards,
Piotr S.

OK, I found out why sessions wouldn’t be resumed after 3600s in my
testings… it’s not that nginx would have stopped caching the session,
but it’s the client. For example, openssl wouldn’t cache sessions for
longer than two hours:

/ssl/t1_lib.c (same also for sslv3)

long tls1_default_timeout(void)
{
/* 2 hours, the 24 hours mentioned in the TLSv1 spec
* is way too long for http, the cache would over fill /
return(60
60*2);
}

Oh well. rfc2246 states that cached sessions may be used for up to 24
hours (http://tools.ietf.org/html/rfc2246#appendix-F.1.4).

Curious how popular browsers such as Chrome or Firefox behave in this
regard.

Anyhow, I am still not sure why the nginx debug data didn’t show
anything about session resumption in my case, but I guess I won’t need
the information now.

Thanks again.
Alex

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs