https://issues.apache.org/bugzilla/show_bug.cgi?id=56324
Bug ID: 56324
Summary: SSL_SESSION_ID should not be blank even if
SSL_SESSION_RESUMED is "Initial"
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: Sun
OS: Solaris
Status: NEW
Severity: major
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
n.b. : This may be related to 49277 or 52542
In lines 517 onwards of modules/ssl/ssl_util_ssl.c I see :
517 /* _________________________________________________________________
518 **
519 ** Session Stuff
520 ** _________________________________________________________________
521 */
522
523 char *SSL_SESSION_id2sz(unsigned char *id, int idlen,
524 char *str, int strsize)
525 {
526 if (idlen > SSL_MAX_SSL_SESSION_ID_LENGTH)
527 idlen = SSL_MAX_SSL_SESSION_ID_LENGTH;
528
529 /* We must ensure not to process more than what would fit in the
530 * destination buffer, including terminating NULL */
531 if (idlen > (strsize-1) / 2)
532 idlen = (strsize-1) / 2;
533
534 ap_bin2hex(id, idlen, str);
535
536 return str;
537 }
What I don't see if a check for idlen being 0 and therefore a need for a
valid id as per section 7 ( page 26 ) of RFC 5246 which states :
The Handshake Protocol is responsible for negotiating a session,
which consists of the following items:
session identifier
An arbitrary byte sequence chosen by the server to identify an
active or resumable session state.
One would think that with TLS1.2 that the handshake process is complete in
order to receive a page of data in a modern browser via https and therefore
the SSL_SESSION_ID is not blank.
On initial connect and GET from Apache 2.4.9 ( Apache/2.4.9 (Unix)
PHP/5.4.26 OpenSSL/1.0.1e ) I do get other reasonable SSL environment
variables and they look correct thus :
SSL_CIPHER: DHE-RSA-AES256-SHA
SSL_CIPHER_ALGKEYSIZE: 256
SSL_CIPHER_EXPORT: false
SSL_CIPHER_USEKEYSIZE: 256
SSL_CLIENT_VERIFY: NONE
SSL_COMPRESS_METHOD: NULL
SSL_PROTOCOL: TLSv1.2
SSL_SECURE_RENEG: true
SSL_SERVER_A_KEY: rsaEncryption
SSL_SERVER_A_SIG: sha1WithRSAEncryption
SSL_SERVER_I_DN: CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use
at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\,
Inc.,C=US
SSL_SERVER_I_DN_C: US
SSL_SERVER_I_DN_CN: VeriSign Class 3 Extended Validation SSL CA
SSL_SERVER_I_DN_O: VeriSign, Inc.
SSL_SERVER_I_DN_OU: VeriSign Trust Network
etc etc.
However :
SSL_SESSION_ID:
SSL_SESSION_RESUMED: Initial
SSL_VERSION_INTERFACE: mod_ssl/2.4.4
SSL_VERSION_LIBRARY: OpenSSL/1.0.1e
Seems wrong that SSL_SESSION_ID is blank.
Dennis
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
