Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL session id affinity #15

Open
nyov opened this issue Jun 26, 2016 · 0 comments
Open

SSL session id affinity #15

nyov opened this issue Jun 26, 2016 · 0 comments

Comments

@nyov
Copy link

nyov commented Jun 26, 2016

I am using pound in an SSL-offloading proxy capacity and have been wondering if it is possible to have access to the client-side connections' SSL session-ID either as a header like the other X-SSL-* headers, for use in pound's Session config, or both?

From what I have read[1], it should be possible to uniquely identify client connections with the SSL session ID or from TLS tickets (even behind NAT devices, unlike IP), and it would be nice to have that information exposed for load-balancer backend pinning and perhaps to backend services (for added session security in combination with client IP and other info).

HAproxy seems to have such an option (SSLID) according to this blog post.
In Apache mod_ssl, this is available as the SSL_SESSION_ID and SSL_SESSION_RESUMED env variables.

[1] Related information:
http://discourse.haproxy.org/t/ssl-load-balancing-with-session-affinity/86/3
https://security.stackexchange.com/q/48856
https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nyov