New issue
Advanced search Search tips

Issue 879973 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Sep 11
Cc:
vamshi.kommuri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Chrome reusing ssl session for requests with different hostnames (SNI)

Reported by dbas...@gmail.com, Sep 3 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Example URL:

Steps to reproduce the problem:
I have a TCP loadbalancer (single IP) routing between two backend based on SNI (without SSL termination). Both backends terminate SSL and have same wildcard certificate while subdomains are different (e.g. one.example.com and two.example.com, with wildcard SSL certificate for *.example.com).

What is the expected behavior?
Requests for different hostnames should not reuse each others SSL sessions.

What went wrong?
Sometimes requests to one.example.com are routed to backend two.example.com and vice versa.
It happens when we try to reach two.* and one.* simoultaneously or in a short period of time (and from different tabs).
We can see in the loadbalancer log that the wrong request was initiated within previous SSL session, so SNI based routing was unable to detect the right destination.

Did this work before? N/A 

Chrome version: 68.0.3440.106  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version:

Comment 1 by viswa.karala@chromium.org, Sep 3

Labels: Needs-Triage-M68

Comment 2 by vamshi.kommuri@chromium.org, Sep 4

Cc: vamshi.kommuri@chromium.org
Labels: Triaged-ET TE-NeedsTriageHelp
Thanks for filing the issue!

From comment#0, the issue seems to be out of scope for us to triage this further from our end. Hence adding label "TE-NeedsTriageHelp" and requesting someone from Network team to have a look into this and help in further triaging it.

Comment 3 by davidben@chromium.org, Sep 4

Labels: Needs-Feedback
Please attach a NetLog of this occurring. Thanks!
https://dev.chromium.org/for-testers/providing-network-details

I'm guessing this is HTTP/2 cross-name pooling, but the NetLog will tell for sure.

Comment 4 by b...@chromium.org, Sep 11

Status: WontFix (was: Unconfirmed)
This is working as intended.  If the IP address matches and the certificate matches, we reuse the connection.  This pooling logic is in SpdySessionPool::FindAvailableSession(), seehttps://cs.chromium.org/chromium/src/net/spdy/spdy_session_pool.cc?q=FindAvailableSession&l=142.

Sign in to add a comment