Investigate nginx 1.24.0 session resumption #30
Comments
This wasn't totally correct, it turned out only port 8446 had the regression. The root cause was in fact related to session ticket support, but specifically an interplay between 1.23.2+ and the Remaining: figuring out why the rustls ticketer isn't working and how to best support session tickets/shared mode session cache w/ the compat |
FWIW This was a stupid mistake on my part; I was initializing the ticketer per-connection and so of course the decryption key didn't match for the resumed connection. More progress in #35 |
Similar to #18, but for the server-side of the equation. We already have some support for traditional session resumption, but there is some API surface/behaviour related to session tickets not yet implemented.
In particular using Nginx 1.24.0 with the runner.rs nginx/curl resumption tests causes all requests to the server configurations that are supposed to return
"r"from/ssl-was-reusedto return"."instead.On startup, nginx logs:
That in turn seems to be emitted in
ngx_event_openssl.cwhenSSL_CTX_set_tlsext_ticket_key_cbfails. Both that function (deprecated) and the replacementSSL_CTX_set_tlsext_ticket_key_evp_cbare#define's that expand to calls toSSL_CTX_callback_ctrlwithcmd == SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB.One option to resolve the above is to stub
SSL_CTX_set_tlsext_ticket_key_cband not call the callback. This in combination with setting a ticketer on the RustlsServerConfigshould be enough to get session ticket resumption working with Nginx 1.24. I tried this briefly and found the aws-lc-rs ticketer was always failing to decrypt-in-place the session ticket provided by curl w/ a resumption connection. More investigation is required.See also some discussion on #18 placed there when I hadn't realized that #18 was client-specific.
The text was updated successfully, but these errors were encountered: