https://issues.apache.org/bugzilla/show_bug.cgi?id=56324
--- Comment #5 from Dennis Clarke <[email protected]> --- This bug may be valid after all. A site running with the httpd-ssl.conf config that only supports TLSv1.2 seems to issue a valid Session-ID to an openssl client but not to a browser when the SSL_SESSION_ID is requested via a cgi binary or script which executes via the option ExecCGI. Thus : $ /usr/local/ssl/bin/openssl version OpenSSL 1.0.1j 15 Oct 2014 $ /usr/local/ssl/bin/openssl s_client -state -tls1_2 -status -connect node.mysite.com:443 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A OCSP response: no response sent SSL_connect:SSLv3 read server hello A . . .snip . --- SSL handshake has read 1734 bytes and written 443 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 19E91F71ABDFBDCE5A2E1D523741B7FC3C1B40603B3E9CE82A1FA553B7ACFC7C Session-ID-ctx: . . . etc etc There we see a SSL session identifier returned even from a site running only TLS v 1.2 however the same SSL_SESSION_ID is blank within any cgi script which requests it. Seems like a valid bug. Within ssl_engine_vars.c down in modules/ssl we see that if SESSION_RESUMED is Initial then we should get valid data for SESSION_ID via SSL_SESSION *pSession = SSL_get_session(ssl) because pSession->session_id should not be blank. In any case, I continue to dig into this as the existence of a valid SSL_SESSION_ID seems very useful and almost essential. Certainly for http traffic load balance switches. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
