Bug 1461580 - TLS Session ID not maintained
TLS Session ID not maintained
Status: MODIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_nss (Show other bugs)
7.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Rob Crittenden
ipa-qe
: ZStream
Depends On:
Blocks: 1420851 1472344 1477926 1490412 1479766
  Show dependency treegraph
 
Reported: 2017-06-14 16:32 EDT by Robert Bost
Modified: 2017-09-18 12:21 EDT (History)
9 users (show)

See Also:
Fixed In Version: mod_nss-1.0.14-11.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1479766 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Bost 2017-06-14 16:32:10 EDT
Description of problem: The TLS Session ID is not maintained across handshakes and a new Session ID is generated each handshake.


Version-Release number of selected component (if applicable): mod_nss-1.0.14-10.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. yum install -y httpd mod_nss
2. systemctl start httpd
3. # echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 003650B19B45B603120D4CC1611E07A5F681338884832A5E2111F8B242E818BC
    Session-ID: 003570E3FFFEABB33DC3816C64CDBC625F663ABD5CDFDC19A298CF51BCB0F62D
    Session-ID: 0034DDC8CFABC4CC8665A833E380D917E083801E0CD11BD97103F34884FD798E
    Session-ID: 0033B3E13C454E0359719A6B8E1355A1F5C320B5C3F8419A2C101B004A655767
    Session-ID: 00377682357FD9D5B924DEEBD85828044D448B04B9077390B4145C73DFBBF464
    Session-ID: 0032F2E98707894674C2BD8875972196E1D412C4505F0286285E0EC6DC9C48E5

Actual results: Different TLS Session ID every handshake.


Expected results: Reuse of TLS Session ID like below:
# echo Q | openssl s_client -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B
    Session-ID: 0049728A4B80EC28208D468BEC71CB3BAD9101683083B50FDA81D741993F4D5B


Additional info:
This upstream patch resolves the issue (I've confirmed locally) https://pagure.io/mod_nss/c/5709d481a3cd327c157a1f39a2e9018e0feefd75?branch=master
Comment 5 Hubert Kario 2017-07-14 06:58:30 EDT
(Just to make sure that it's not combination of multiple bugs.)

What is the protocol version used? What is the ciphersuite negotiated?
Comment 6 Robert Bost 2017-07-18 11:19:11 EDT
> What is the protocol version used? What is the ciphersuite negotiated?

Protocol: TLSv1.2
Cipher  : ECDHE-RSA-AES256-SHA

The issue is reproducible with TLSv1.1 and other cipher suites as well. For example:

# echo Q | openssl s_client -tls1_1 -cipher AES256-SHA -reconnect -connect localhost:8443 2>&1 | grep Session-ID:
    Session-ID: 30BC19DADBE27D59C961BC2A6F324D460B4C292570954CD78E9FCFE81FBDA760
    Session-ID: 30BB5E1A2699568E8F3463B29C5A943111279786298A2266C115BAD07B001045
    Session-ID: 30BE616E7463261CAD4C408E667CC4A1CB028ACE3D30E3F8940C87E3B6F6B3A3
    Session-ID: 30BF41121B9D051ECAE5F5927CE5F7B1F5873EA7185D1E1C9F7FC6F5945BF7B6
    Session-ID: 30BD7CDCE14334442B1E908D77089D214C49719A499DCD87ED3936AB902D04BC
    Session-ID: 30BC2193077E20DC2E0760FA4992FC06E2D77C6A33DDBF1B77A1EA7A7A95140A

Note You need to log in before you can comment on or make changes to this bug.