SSL::sessionid¶
Description¶
Gets the SSL session ID.
Syntax¶
SSL::sessionid
SSL::sessionid¶
- Returns the current connection’s SSL session ID if it exists in the session cache. In version 10.x and higher, if the session ID does not exist in the cache, returns a null string. In version 9.x, if the session ID does not exist in the cache, returns a string of 64 zeroes. (This Known Issue is documented in SOL11987 )
Note: It appears that the session ID will never be added to the SSL
cache if the client SSL profile is set to always validate the client
certificate (as opposed to validating once per session).
Examples¶
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set sid [SSL::sessionid]
if { $sid ne "" } {
# If this SSL session will be cached, then it may be
# resumed later on a new connection. Cache the cert
# in the session table in case that happens. Because ID's
# are not globally unique, the session id needs to be combined
# with something from client address to avoid mismatch.
set key [concat [IP::remote_addr]@$sid]
session add ssl $key $cert 180
}
}
when HTTP_REQUEST {
if { [info exists cert] } {
set sn [X509::serial_number $cert]
} else {
set sid [SSL::sessionid]
# We don't have a cert, possibly because this is
# a new connection that was a resumption of a
# previous SSL session. If that is the reason,
# the cert will be in the session table.
if { $sid ne "" } {
# This SSL session was resumed; retreive the cached cert
set key [concat [IP::remote_addr]@$sid]
set cert [session lookup ssl $key]
if { $cert ne "" } {
set sn [X509::serial_number $cert]
} else {
# dunno how this happened
reject
return
}
}
}
if { [info exists sn] } {
HTTP::header insert Serial $sn
} else {
# no sn available, reject the client
reject
return
}
}